Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Refactor dashboard security access #24804

Conversation

john-bodley
Copy link
Member

@john-bodley john-bodley commented Jul 25, 2023

SUMMARY

Whilst spelunking through the codebase recently in order to fix some dashboard RBAC issues I noticed the raise_for_dashboard_access method (drafted prior to #13235) which coincides with the more generic raise_for_access method.

This PR extends the previous intent to migrate the logic into the raise_for_access method which ensures all entity based access checks use the same call stack. Furthermore this approach allows for more context aware checks, i.e., whether a user has access to a dataset/datasource in the context of viewing a dashboard.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

CI.

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@@ -26,7 +26,6 @@ class SupersetErrorType(str, Enum):
Types of errors that can exist within Superset.

Keep in sync with superset-frontend/src/components/ErrorMessage/types.ts
and docs/src/pages/docs/Miscellaneous/issue_codes.mdx
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These docs no longer exist.

@john-bodley john-bodley force-pushed the john-bodley--integrate-raise-for-dashboard-access branch 2 times, most recently from d1d627b to 3a6710f Compare July 25, 2023 20:21
@@ -1852,6 +1867,45 @@ def raise_for_access(
self.get_datasource_access_error_object(datasource)
)

if dashboard:
if self.is_guest_user():
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Identical logic which was previously in raise_for_dashboard_access.

@codecov
Copy link

codecov bot commented Jul 25, 2023

Codecov Report

Merging #24804 (97687d0) into master (7397ab3) will increase coverage by 0.03%.
The diff coverage is 96.66%.

❗ Current head 97687d0 differs from pull request most recent head b312294. Consider uploading reports for the commit b312294 to get more accurate results

@@            Coverage Diff             @@
##           master   #24804      +/-   ##
==========================================
+ Coverage   68.96%   69.00%   +0.03%     
==========================================
  Files        1906     1906              
  Lines       74122    74127       +5     
  Branches     8208     8208              
==========================================
+ Hits        51116    51148      +32     
+ Misses      20883    20856      -27     
  Partials     2123     2123              
Flag Coverage Δ
hive 54.17% <26.66%> (+<0.01%) ⬆️
javascript 55.83% <ø> (ø)
mysql 79.21% <96.66%> (+<0.01%) ⬆️
postgres 79.31% <96.66%> (?)
presto 54.07% <26.66%> (+<0.01%) ⬆️
python 83.37% <96.66%> (+0.07%) ⬆️
sqlite 77.89% <96.66%> (+<0.01%) ⬆️
unit 55.04% <26.66%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed Coverage Δ
...rset-frontend/src/components/ErrorMessage/types.ts 100.00% <ø> (ø)
superset/security/manager.py 94.43% <94.44%> (ø)
superset/daos/dashboard.py 96.72% <100.00%> (+0.04%) ⬆️
superset/errors.py 94.52% <100.00%> (+0.07%) ⬆️
superset/models/dashboard.py 77.90% <100.00%> (+0.17%) ⬆️
superset/views/core.py 69.40% <100.00%> (-0.07%) ⬇️

... and 9 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@john-bodley
Copy link
Member Author

@eschutho and @Vitor-Avila as mentioned in #24892 this refactor should help with your efforts in readdressing the problem outlined in #24808 as now the raise_for_access method is dashboard (context) aware, i.e., the caller could be mutated to be of the form,

security_manager.raise_for_access(dashboard=dashboard, datasource=datasource)

as opposed to

security_manager.raise_for_access(datasource=datasource)

or similar.

@john-bodley john-bodley force-pushed the john-bodley--integrate-raise-for-dashboard-access branch from dc7d725 to 32de355 Compare August 4, 2023 21:23
@john-bodley john-bodley force-pushed the john-bodley--integrate-raise-for-dashboard-access branch from 32de355 to b312294 Compare August 4, 2023 21:33
@Vitor-Avila
Copy link
Contributor

Vitor-Avila commented Aug 4, 2023

thanks @john-bodley, that makes perfect sense! I'll wait for these changes to get merged too so I can update my fork and take a look at this.

Copy link
Member

@michael-s-molina michael-s-molina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@john-bodley john-bodley merged commit 5522fac into apache:master Aug 9, 2023
john-bodley added a commit to john-bodley/superset that referenced this pull request Aug 9, 2023
@michael-s-molina michael-s-molina added the v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch label Aug 10, 2023
michael-s-molina pushed a commit that referenced this pull request Aug 10, 2023
@mistercrunch mistercrunch added 🍒 3.0.3 🍒 3.0.4 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 3.1.0 labels Mar 8, 2024
vinothkumar66 pushed a commit to vinothkumar66/superset that referenced this pull request Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/L v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch 🍒 3.0.0 🍒 3.0.1 🍒 3.0.2 🍒 3.0.3 🍒 3.0.4 🚢 3.1.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants