Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: revert permission refactoring PR #21313

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 0 additions & 40 deletions superset/security/manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,11 @@
Any,
Callable,
cast,
DefaultDict,
Dict,
List,
NamedTuple,
Optional,
Set,
Tuple,
TYPE_CHECKING,
Union,
)
Expand Down Expand Up @@ -2125,41 +2123,3 @@ def is_admin(self) -> bool:
return current_app.config["AUTH_ROLE_ADMIN"] in [
role.name for role in self.get_user_roles()
]

def get_permissions(
self,
user: User,
) -> Tuple[Dict[str, List[List[str]]], DefaultDict[str, List[str]]]:
if not user.roles:
raise AttributeError("User object does not have roles")

roles = defaultdict(list)
permissions = defaultdict(set)

query = (
self.get_session.query(Role.name, Permission.name, ViewMenu.name)
.join(assoc_user_role, assoc_user_role.c.role_id == Role.id)
.join(Role.permissions)
.join(PermissionView.view_menu)
.join(PermissionView.permission)
)

if user.is_anonymous:
public_role = current_app.config.get("AUTH_ROLE_PUBLIC")
query = query.filter(Role.name == public_role)
elif self.is_guest_user(user):
guest_role = current_app.config.get("GUEST_ROLE_NAME")
query = query.filter(Role.name == guest_role)
else:
query = query.filter(assoc_user_role.c.user_id == user.id)

rows = query.all()
for role, permission, view_menu in rows:
if permission in ("datasource_access", "database_access"):
permissions[permission].add(view_menu)
roles[role].append([permission, view_menu])

transformed_permissions = defaultdict(list)
for perm in permissions:
transformed_permissions[perm] = list(permissions[perm])
return roles, transformed_permissions
26 changes: 24 additions & 2 deletions superset/views/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,9 @@
# specific language governing permissions and limitations
# under the License.
import logging
from collections import defaultdict
from functools import wraps
from typing import Any, Callable, Dict, List, Optional, Tuple, Union
from typing import Any, Callable, DefaultDict, Dict, List, Optional, Tuple, Union
from urllib import parse

import msgpack
Expand Down Expand Up @@ -93,13 +94,34 @@ def bootstrap_user_data(user: User, include_perms: bool = False) -> Dict[str, An
}

if include_perms:
roles, permissions = security_manager.get_permissions(user)
roles, permissions = get_permissions(user)
payload["roles"] = roles
payload["permissions"] = permissions

return payload


def get_permissions(
user: User,
) -> Tuple[Dict[str, List[List[str]]], DefaultDict[str, List[str]]]:
if not user.roles:
raise AttributeError("User object does not have roles")

roles = defaultdict(list)
permissions = defaultdict(set)

for role in user.roles:
permissions_ = security_manager.get_role_permissions(role)
for permission in permissions_:
if permission[0] in ("datasource_access", "database_access"):
permissions[permission[0]].add(permission[1])
roles[role.name].append([permission[0], permission[1]])
transformed_permissions = defaultdict(list)
for perm in permissions:
transformed_permissions[perm] = list(permissions[perm])
return roles, transformed_permissions


def get_viz(
form_data: FormData,
datasource_type: str,
Expand Down
202 changes: 0 additions & 202 deletions tests/integration_tests/security_tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,6 @@
load_world_bank_dashboard_with_slices,
load_world_bank_data,
)
from .dashboard_utils import get_table

NEW_SECURITY_CONVERGE_VIEWS = (
"Annotation",
Expand All @@ -73,159 +72,6 @@
"SavedQuery",
)

GAMMA_ROLE_PERMISSIONS = {
"Gamma": [
["menu_access", "List Users"],
["can_read", "SavedQuery"],
["can_write", "SavedQuery"],
["can_read", "CssTemplate"],
["can_write", "CssTemplate"],
["can_read", "ReportSchedule"],
["can_write", "ReportSchedule"],
["can_read", "AvailableDomains"],
["can_read", "Chart"],
["can_write", "Chart"],
["can_read", "Annotation"],
["can_write", "Annotation"],
["can_read", "Dataset"],
["can_read", "Dashboard"],
["can_write", "Dashboard"],
["can_read", "Database"],
["can_read", "Query"],
["can_this_form_post", "ResetMyPasswordView"],
["can_this_form_get", "ResetMyPasswordView"],
["can_this_form_post", "UserInfoEditView"],
["can_this_form_get", "UserInfoEditView"],
["can_userinfo", "UserDBModelView"],
["resetmypassword", "UserDBModelView"],
["can_get", "OpenApi"],
["can_show", "SwaggerView"],
["can_get", "MenuApi"],
["can_list", "AsyncEventsRestApi"],
["can_read", "AdvancedDataType"],
["can_invalidate", "CacheRestApi"],
["can_export", "Chart"],
["can_read", "DashboardFilterStateRestApi"],
["can_write", "DashboardFilterStateRestApi"],
["can_read", "DashboardPermalinkRestApi"],
["can_write", "DashboardPermalinkRestApi"],
["can_delete_embedded", "Dashboard"],
["can_get_embedded", "Dashboard"],
["can_export", "Dashboard"],
["can_read", "EmbeddedDashboard"],
["can_read", "Explore"],
["can_read", "ExploreFormDataRestApi"],
["can_write", "ExploreFormDataRestApi"],
["can_read", "ExplorePermalinkRestApi"],
["can_write", "ExplorePermalinkRestApi"],
["can_delete", "FilterSets"],
["can_list", "FilterSets"],
["can_edit", "FilterSets"],
["can_add", "FilterSets"],
["can_import_", "ImportExportRestApi"],
["can_export", "ImportExportRestApi"],
["can_export", "SavedQuery"],
["can_show", "DynamicPlugin"],
["can_list", "DynamicPlugin"],
["can_time_range", "Api"],
["can_query_form_data", "Api"],
["can_query", "Api"],
["can_this_form_post", "CsvToDatabaseView"],
["can_this_form_get", "CsvToDatabaseView"],
["can_this_form_post", "ExcelToDatabaseView"],
["can_this_form_get", "ExcelToDatabaseView"],
["can_this_form_post", "ColumnarToDatabaseView"],
["can_this_form_get", "ColumnarToDatabaseView"],
["can_get", "Datasource"],
["can_external_metadata", "Datasource"],
["can_external_metadata_by_name", "Datasource"],
["can_get_value", "KV"],
["can_store", "KV"],
["can_my_queries", "SqlLab"],
["can_created_dashboards", "Superset"],
["can_testconn", "Superset"],
["can_estimate_query_cost", "Superset"],
["can_explore", "Superset"],
["can_fetch_datasource_metadata", "Superset"],
["can_search_queries", "Superset"],
["can_save_dash", "Superset"],
["can_dashboard_permalink", "Superset"],
["can_warm_up_cache", "Superset"],
["can_request_access", "Superset"],
["can_datasources", "Superset"],
["can_available_domains", "Superset"],
["can_dashboard", "Superset"],
["can_annotation_json", "Superset"],
["can_created_slices", "Superset"],
["can_slice_json", "Superset"],
["can_profile", "Superset"],
["can_filter", "Superset"],
["can_validate_sql_json", "Superset"],
["can_slice", "Superset"],
["can_sqllab", "Superset"],
["can_log", "Superset"],
["can_recent_activity", "Superset"],
["can_tables", "Superset"],
["can_fave_slices", "Superset"],
["can_sqllab_viz", "Superset"],
["can_fave_dashboards", "Superset"],
["can_results", "Superset"],
["can_extra_table_metadata", "Superset"],
["can_schemas_access_for_file_upload", "Superset"],
["can_fave_dashboards_by_username", "Superset"],
["can_csv", "Superset"],
["can_add_slices", "Superset"],
["can_explore_json", "Superset"],
["can_sqllab_history", "Superset"],
["can_import_dashboards", "Superset"],
["can_sqllab_table_viz", "Superset"],
["can_stop_query", "Superset"],
["can_favstar", "Superset"],
["can_copy_dash", "Superset"],
["can_queries", "Superset"],
["can_user_slices", "Superset"],
["can_delete", "TableSchemaView"],
["can_post", "TableSchemaView"],
["can_expanded", "TableSchemaView"],
["can_get", "TabStateView"],
["can_post", "TabStateView"],
["can_migrate_query", "TabStateView"],
["can_put", "TabStateView"],
["can_activate", "TabStateView"],
["can_delete", "TabStateView"],
["can_delete_query", "TabStateView"],
["can_get", "TagView"],
["can_tagged_objects", "TagView"],
["can_post", "TagView"],
["can_delete", "TagView"],
["can_suggestions", "TagView"],
["can_read", "SecurityRestApi"],
["menu_access", "List Roles"],
["menu_access", "Action Log"],
["menu_access", "Access requests"],
["menu_access", "Home"],
["menu_access", "Annotation Layers"],
["menu_access", "Plugins"],
["menu_access", "Import Dashboards"],
["menu_access", "Alerts & Report"],
["menu_access", "Dashboards"],
["menu_access", "Charts"],
["menu_access", "SQL Editor"],
["menu_access", "Saved Queries"],
["menu_access", "Query Search"],
["menu_access", "Data"],
["menu_access", "Databases"],
["menu_access", "Datasets"],
["can_share_dashboard", "Superset"],
["can_share_chart", "Superset"],
],
"schema_access_role": [["schema_access", "[examples].[temp_schema]"]],
"dummy_role": [
["datasource_access", "[examples].[wb_health_population](id:1)"],
["database_access", "[examples].(id:1)"],
],
}


def get_perm_tuples(role_name):
perm_set = set()
Expand Down Expand Up @@ -1757,54 +1603,6 @@ def test_views_are_secured(self):
view_str = "\n".join([str(v) for v in unsecured_views])
raise Exception(f"Some views are not secured:\n{view_str}")

@patch("superset.utils.core.g")
@patch("superset.security.manager.g")
def test_get_permissions_gamma_user(self, mock_sm_g, mock_g):
session = db.session
role_name = "dummy_role"
gamma_user = security_manager.find_user(username="gamma")
security_manager.add_role(role_name)
dummy_role = security_manager.find_role(role_name)
gamma_user.roles.append(dummy_role)

table = (
db.session.query(SqlaTable)
.filter_by(table_name="wb_health_population")
.one()
)
table_perm = table.perm
security_manager.add_permission_role(
dummy_role,
security_manager.find_permission_view_menu("datasource_access", table_perm),
)
security_manager.add_permission_role(
dummy_role,
security_manager.find_permission_view_menu(
"database_access", table.database.perm
),
)

session.commit()

mock_g.user = mock_sm_g.user = security_manager.find_user("gamma")
with self.client.application.test_request_context():
roles, permissions = security_manager.get_permissions(mock_g.user)
assert "dummy_role" in roles
assert "Gamma" in roles
assert sorted(roles["Gamma"]) == sorted(GAMMA_ROLE_PERMISSIONS["Gamma"])
assert sorted(roles["schema_access_role"]) == sorted(
GAMMA_ROLE_PERMISSIONS["schema_access_role"]
)

assert len(permissions) == 2
assert "[examples].(id:" in permissions["database_access"][0]
assert "[examples].[" in permissions["datasource_access"][0]

# cleanup
gamma_user = security_manager.find_user(username="gamma")
gamma_user.roles.remove(security_manager.find_role(role_name))
session.commit()


class TestSecurityManager(SupersetTestCase):
"""
Expand Down