-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: RLS for SQL Lab #19999
feat: RLS for SQL Lab #19999
Conversation
Codecov Report
@@ Coverage Diff @@
## master #19999 +/- ##
==========================================
- Coverage 66.28% 66.15% -0.14%
==========================================
Files 1712 1713 +1
Lines 63968 64071 +103
Branches 6731 6731
==========================================
- Hits 42404 42386 -18
- Misses 19853 19974 +121
Partials 1711 1711
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
dd10848
to
37058a5
Compare
parsed_query = ParsedQuery(sql_statement) | ||
if is_feature_enabled("RLS_IN_SQLLAB"): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the core of the PR, the rest is just passing username around.
elif username: | ||
user = self.find_user(username=username) | ||
else: | ||
return [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice if flip, less indentation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One minor docstring comment. Also, would be nice to have at least minimal tests for this, as this is a fairly central security feature. If it's a lot of work, which I assume it is, I can try to help out!
self, template_processor: BaseTemplateProcessor | ||
self, | ||
template_processor: BaseTemplateProcessor, | ||
username: Optional[str] = None, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: username
is missing in the docstring here and in security_manager.get_rls_filters
. The main description says it retrieves rls filters for "the current user" - we should perhaps remove that text from both docstrings and state that if username
is missing, it will fall back to the current user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, good catch and good point, @villebro! Let me fix the docstrings and add tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with a very minor non-blocking nit. This is really great, as it will open up SQL Lab to RLS users 🚀
* feat: RLS for SQL Lab * Small fixes * Pass username to security manager * Update docstrings * Add tests * Remove type from docstring
SUMMARY
Add a new feature flag
RLS_IN_SQLLAB
that when enabled will make Superset apply relevant RLS rules to queries ran in SQL Lab.BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
Created a simple RLS on
bart_lines
:Confirmed that it works in Explore, as expected:
Ran query in SQL Lab, RLS is also applied:
TESTING INSTRUCTIONS
WIP
ADDITIONAL INFORMATION