Implement permission request/approve flow.

[bkyryliuk]

This PR implements the basic request permissions flow: #1049
For the 1st iteration it is pretty simple flow:

• permission requests exist on the user - datasource (table or druid) level
• user is redirected to the request form if he/she doesn't have permissions
• admins, alphas or datasource owners have permissions to approve the requests. only admins can grant roles to the users
• the access request view is visible to admins only
• there are 2 ways to grant the permission to the user, grant the user role that has access to the datasource, extend the role the user already has to provide access to the datasource
• disallows multiple requests to the same datasource
• extensive testing, it was quite tricky to make it working

Potential future improvements:

• request access to the databases, not only to the datasources
• include free form message in the request form
• offer to create a role if there are 0 roles granting access to the given datasource
• email notifications
• batch approval
• automatic clean up of the request if approving one of the requests resolves all others
• store some metadata - dashboard / slide ids
• better support for the dashboards - show the slices you have access to and allow to request access to others

Reviewers:

• @mistercrunch
• @ascott
• @vera-liu

Screenshots

[mistercrunch]

Looks neat!

[mistercrunch]

no need for id="app" afaict

[mistercrunch]

wrap the whole thing in a <div class="container"> to get a nice left and right margin

[mistercrunch]

oh this should now be in master now

[mistercrunch]

Rename to datasource_link
I'd except a link to be a <a> and a url to be http://...

[mistercrunch]

nit: would fit on one line

[mistercrunch]

NIT: it works here, but .all() could be aligned with .filter(

[mistercrunch]

Empty lists evals as False, so you can simply if duplicates:

[mistercrunch]

this endpoint and model related perms should be added to the admin role only (check the cil's init function), then we don't need anything else than @has_access.

[bkyryliuk]

Done and covered in the unit tests

[mistercrunch]

Not needed but there could be a need to cleanup here. If I asked access to 12 tables and you grant a single role that gives access to all 8 tables, you could clean up the other 7 requests, but let's leave this out for v1.

[bkyryliuk]

Yep, will do it in separate PR

[bkyryliuk]

@mistercrunch - please take another look

[mistercrunch]

Sorry for the "close to the finish line" changes in requirements, tell me what you think.

[mistercrunch]

I should have caught this before, but it's critical that we keep an audit trail of who granted access to what/who/when. One way to do this is to not delete the request, and flag it as resolved instead (add a state field to the model, a fk to the userid who granted access, timestamp when it was granted, and maybe the resolution that was applied).

Another option is to store the operation in another model.

[bkyryliuk]

@log_this - tackles it now

[mistercrunch]

nit: one too many black line

[mistercrunch]

We probably need a new role for people who can grant rights to others that are not admin. It doesn't have to be part of this PR, your call.

[bkyryliuk]

agree, separate PR

[mistercrunch]

we probably want to follow the new pattern of datasource_id and datasource_type that was introduced in the Yahoo PR

[bkyryliuk]

Updated

[mistercrunch]

related to my other comment about auditing who granted what to who, I'd add:

state as ('requested', 'granted' and maybe eventually 'denied')
processed_by_userid Integer
processed_on Datetime

[bkyryliuk]

I've refactored the code in a way that @log_this will have all needed information

[bkyryliuk]

@mistercrunch - please take one more look on the PR, couple new features

• cleans up all the user requests, not just 1 once the access to the datasource is granted1.
• logs the requests and approves
• follows new rules of the datasource access

[mistercrunch]

optional: indent is inconsistent with other queries, looks like maybe sublime auto-indented that.

Sometimes when I have long strings that get referenced a lot in a small section of code, I create a shortcut as in DAR = models.DatasourceAccessRequest.

[bkyryliuk]

Done, thanks

[mistercrunch]

LGTM. This is an awesome feature, great work!

It's lowering friction around obtaining access, granting access, and addressing the lack of auditing around access, all this is super impactful.

Follow up, related items:

• maintain a system role for people who can grant rights
• document the flows in the security section of the docs
• a quick way to see the columns in the table (tooltip? link to endpoint that list the columns for a table?)
• it's not clear yet, but something around managing how granters could only grant permissions to a subset of dataset (this may be over-thinking it at this point)

[aleksarias]

Hello, I don't see any information on how to activate this feature. I don't see it in the latest release of superset, 0.37.2. Does anyone know if it can be activated in that version?

[aleksarias]

Found the setting the full example config file: https://github.com/apache/incubator-superset/blob/master/superset/config.py

# Set this to false if you don't want users to be able to request/grant
# datasource access requests from/to other users.
ENABLE_ACCESS_REQUEST = False

[aleksarias]

After enabling this feature, I'm getting "NOT FOUND".
https://mydomain.com/superset/dashboard/46/superset/request_access/?dashboard_id=46&

Is there something else that needs to be activated in order to get this feature to work?