From 7e5fb84e9c0502128c7c10947fcd9babbfd3d254 Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Fri, 3 Jul 2020 09:36:07 +0100 Subject: [PATCH 1/6] fix(permissions): alpha role is inconsistent --- superset/security/manager.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/superset/security/manager.py b/superset/security/manager.py index d0276371f5a1a..e6fb9d93a0cc0 100644 --- a/superset/security/manager.py +++ b/superset/security/manager.py @@ -132,6 +132,9 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods "SQL Lab", "Queries", "Refresh Druid Metadata", + "AnnotationLayerModelView", + "CssTemplateModelView", + "QueryView", "ResetPasswordView", "RoleModelView", "LogModelView", @@ -149,6 +152,7 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods "can_approve", "can_update_role", "all_query_access", + "import_dashboards", } READ_ONLY_PERMISSION = {"can_show", "can_list", "can_get", "can_external_metadata"} From 48108286d4e9255e95b30d091f72e16e5191aff8 Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Mon, 6 Jul 2020 10:29:53 +0100 Subject: [PATCH 2/6] reverse and allow Alpha to access manager menu --- superset/security/manager.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/superset/security/manager.py b/superset/security/manager.py index e6fb9d93a0cc0..50141b66ec889 100644 --- a/superset/security/manager.py +++ b/superset/security/manager.py @@ -128,13 +128,9 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods ADMIN_ONLY_VIEW_MENUS = { "AccessRequestsModelView", - "Manage", "SQL Lab", "Queries", "Refresh Druid Metadata", - "AnnotationLayerModelView", - "CssTemplateModelView", - "QueryView", "ResetPasswordView", "RoleModelView", "LogModelView", @@ -142,7 +138,13 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods "RowLevelSecurityFiltersModelView", } | USER_MODEL_VIEWS - ALPHA_ONLY_VIEW_MENUS = {"Upload a CSV"} + ALPHA_ONLY_VIEW_MENUS = { + "Manage", + "CSS Templates", + "Queries", + "Import dashboards", + "Upload a CSV", + } ADMIN_ONLY_PERMISSIONS = { "can_sql_json", # TODO: move can_sql_json to sql_lab role @@ -152,7 +154,6 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods "can_approve", "can_update_role", "all_query_access", - "import_dashboards", } READ_ONLY_PERMISSION = {"can_show", "can_list", "can_get", "can_external_metadata"} From d2244a9b5e232ce40a68ba879fa8d318ee765fe7 Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Fri, 10 Jul 2020 16:23:24 +0100 Subject: [PATCH 3/6] Bump FAB to 3.0.1rc1 to include del permission fix --- requirements.txt | 2 +- setup.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.txt b/requirements.txt index 3b6292de8c75d..8784a3a2b9b29 100644 --- a/requirements.txt +++ b/requirements.txt @@ -29,7 +29,7 @@ decorator==4.4.2 # via retry defusedxml==0.6.0 # via python3-openid dnspython==1.16.0 # via email-validator email-validator==1.1.0 # via flask-appbuilder -flask-appbuilder==3.0.0 # via apache-superset (setup.py) +flask-appbuilder==3.0.1rc1 # via apache-superset (setup.py) flask-babel==1.0.0 # via flask-appbuilder flask-caching==1.8.0 # via apache-superset (setup.py) flask-compress==1.5.0 # via apache-superset (setup.py) diff --git a/setup.py b/setup.py index 200d90251457b..18154b22c4eee 100644 --- a/setup.py +++ b/setup.py @@ -78,7 +78,7 @@ def get_git_sha(): "cryptography>=2.4.2", "dataclasses<0.7", "flask>=1.1.0, <2.0.0", - "flask-appbuilder>=3.0.0, <4.0.0", + "flask-appbuilder==3.0.1rc1", "flask-caching", "flask-compress", "flask-talisman", From 631c97e48c0a778f6c53ba9388bce05522b8fd41 Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Mon, 27 Jul 2020 02:49:14 +0100 Subject: [PATCH 4/6] add docs, tests and UPDATING --- UPDATING.md | 1 + docs/security.rst | 5 +++-- tests/security_tests.py | 22 +++++++++++++++++++++- 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/UPDATING.md b/UPDATING.md index 4d669d0825387..9be2680b0ba64 100644 --- a/UPDATING.md +++ b/UPDATING.md @@ -22,6 +22,7 @@ This file documents any backwards-incompatible changes in Superset and assists people when migrating to a new version. ## Next +* [10241](https://github.com/apache/incubator-superset/pull/10241): change on Alpha role, users started to have access to "Annotation Layers", "Css Templates" and "Import Dashboards". * [9964](https://github.com/apache/incubator-superset/pull/9964): Breaking change on Flask-AppBuilder 3. If you're using OAuth, find out what needs to be changed [here](https://github.com/dpgaspar/Flask-AppBuilder/blob/master/README.rst#change-log). diff --git a/docs/security.rst b/docs/security.rst index 911aabead26a3..29afdce5fed93 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -46,8 +46,9 @@ other users and altering other people's slices and dashboards. Alpha """"" -Alpha users have access to all data sources, but they cannot grant or revoke access -from other users. They are also limited to altering the objects that they +Alpha users have access to all data sources, and all features except SQLLab and +security, so they cannot grant or revoke access from other users. +They are also limited to altering the objects that they own. Alpha users can add and alter data sources. Gamma diff --git a/tests/security_tests.py b/tests/security_tests.py index 278400f260ff2..b06d8b8f35bd1 100644 --- a/tests/security_tests.py +++ b/tests/security_tests.py @@ -570,6 +570,9 @@ def assert_can_all(self, view_menu, permissions_set): self.assert_can_read(view_menu, permissions_set) self.assert_can_write(view_menu, permissions_set) + def assert_can_menu(self, view_menu, permissions_set): + self.assertIn(("menu_access", view_menu), permissions_set) + def assert_can_gamma(self, perm_set): self.assert_can_read("TableModelView", perm_set) @@ -592,10 +595,23 @@ def assert_can_gamma(self, perm_set): self.assertIn(("can_explore", "Superset"), perm_set) self.assertIn(("can_explore_json", "Superset"), perm_set) self.assertIn(("can_userinfo", "UserDBModelView"), perm_set) + self.assert_can_menu("Databases", perm_set) + self.assert_can_menu("Tables", perm_set) + self.assert_can_menu("Sources", perm_set) + self.assert_can_menu("Charts", perm_set) + self.assert_can_menu("Dashboards", perm_set) def assert_can_alpha(self, perm_set): + self.assert_can_all("AnnotationLayerModelView", perm_set) + self.assert_can_all("CssTemplateModelView", perm_set) self.assert_can_all("TableModelView", perm_set) - + self.assertIn(("can_import_dashboards", "Superset"), perm_set) + self.assertIn(("can_this_form_post", "CsvToDatabaseView"), perm_set) + self.assertIn(("can_this_form_get", "CsvToDatabaseView"), perm_set) + self.assert_can_menu("Manage", perm_set) + self.assert_can_menu("Annotation Layers", perm_set) + self.assert_can_menu("CSS Templates", perm_set) + self.assert_can_menu("Upload a CSV", perm_set) self.assertIn(("all_datasource_access", "all_datasource_access"), perm_set) def assert_cannot_alpha(self, perm_set): @@ -617,6 +633,10 @@ def assert_can_admin(self, perm_set): self.assertIn(("can_override_role_permissions", "Superset"), perm_set) self.assertIn(("can_approve", "Superset"), perm_set) + self.assert_can_menu("Security", perm_set) + self.assert_can_menu("List Users", perm_set) + self.assert_can_menu("List Roles", perm_set) + def test_is_admin_only(self): self.assertFalse( security_manager._is_admin_only( From b38ce2366b68cce0fca7f177074c72ae2511fe9e Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Mon, 27 Jul 2020 02:51:58 +0100 Subject: [PATCH 5/6] EOL --- UPDATING.md | 1 + 1 file changed, 1 insertion(+) diff --git a/UPDATING.md b/UPDATING.md index 32e05b3907d89..1c664ecd421d3 100644 --- a/UPDATING.md +++ b/UPDATING.md @@ -22,6 +22,7 @@ This file documents any backwards-incompatible changes in Superset and assists people when migrating to a new version. ## Next + * [10241](https://github.com/apache/incubator-superset/pull/10241): change on Alpha role, users started to have access to "Annotation Layers", "Css Templates" and "Import Dashboards". * [10320](https://github.com/apache/incubator-superset/pull/10320): References to blacklst/whitelist language have been replaced with more appropriate alternatives. All configs refencing containing `WHITE`/`BLACK` have been replaced with `ALLOW`/`DENY`. Affected config variables that need to be updated: `TIME_GRAIN_BLACKLIST`, `VIZ_TYPE_BLACKLIST`, `DRUID_DATA_SOURCE_BLACKLIST`. From 766f14a3a78f2fa97d4db8752c7cd92f3b811951 Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Mon, 27 Jul 2020 03:06:24 +0100 Subject: [PATCH 6/6] Fix query view for Alpha --- superset/security/manager.py | 1 - tests/security_tests.py | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/superset/security/manager.py b/superset/security/manager.py index 0646fe4ec1ce5..da92d1684bdc7 100644 --- a/superset/security/manager.py +++ b/superset/security/manager.py @@ -129,7 +129,6 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods ADMIN_ONLY_VIEW_MENUS = { "AccessRequestsModelView", "SQL Lab", - "Queries", "Refresh Druid Metadata", "ResetPasswordView", "RoleModelView", diff --git a/tests/security_tests.py b/tests/security_tests.py index fd68a781b2992..60d20fde09dc7 100644 --- a/tests/security_tests.py +++ b/tests/security_tests.py @@ -605,6 +605,7 @@ def assert_can_alpha(self, perm_set): self.assert_can_all("AnnotationLayerModelView", perm_set) self.assert_can_all("CssTemplateModelView", perm_set) self.assert_can_all("TableModelView", perm_set) + self.assert_can_read("QueryView", perm_set) self.assertIn(("can_import_dashboards", "Superset"), perm_set) self.assertIn(("can_this_form_post", "CsvToDatabaseView"), perm_set) self.assertIn(("can_this_form_get", "CsvToDatabaseView"), perm_set)