chore: Add granular permissions for actions in Dashboard #27029
Conversation
superset-frontend/src/components/Chart/ChartContextMenu/ChartContextMenu.tsx
Show resolved
Hide resolved
| @@ -726,7 +726,8 @@ def create_custom_permissions(self) -> None: | |||
| self.add_permission_view_menu("can_csv", "Superset") | |||
| self.add_permission_view_menu("can_share_dashboard", "Superset") | |||
| self.add_permission_view_menu("can_share_chart", "Superset") | |||
| self.add_permission_view_menu("can_view_and_drill", "Dashboard") | |||
There was a problem hiding this comment.
I know that can_view_and_drill permission wasn't around for long so probably few people have used it, but shouldn't we create a migration for it?
There was a problem hiding this comment.
It'd be nice to have a reusable function for perm migration that we could use in database migrations. Now that we have migration_utils.py in theory it could contain a function migrate_permission(before_perm, after_perm). Though in theory it should only be use for equivalent (rename) or more atomic/selective permissions.
There was a problem hiding this comment.
There was a problem hiding this comment.
hi I have all roles. And can not see drill down menu in superset graphs. Why?
There was a problem hiding this comment.
hi I have all roles. And can not see drill down menu in superset graphs. Why?
Just to ask basic support questions, are you not seeing them in ANY chart, or just not EVERY chart? They're still not supported everywhere. They also appear on right-cick, which might not be the most discoverable thing in the world :)
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #27029 +/- ##
==========================================
+ Coverage 67.19% 69.54% +2.34%
==========================================
Files 1899 1899
Lines 74380 74385 +5
Branches 8275 8276 +1
==========================================
+ Hits 49981 51728 +1747
+ Misses 22344 20602 -1742
Partials 2055 2055
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
…o/ch77449/dashboard-granular-permissions
…o/ch77449/dashboard-granular-permissions
…o/ch77449/dashboard-granular-permissions
@sfirke in terms of fixing the mentioned issues, I think this PR should be the solution. Drill to detail must be tied to The View as table and View query options now can be enabled granularly and the Edit chart buttons in the respective Modals will be disabled if As for what concerns assigning/changing permissions of the existing roles, this is beyond the scope of this PR and I think it would be best to discuss this opportunity in the appropriate channels. Thanks! |
|
@geido I think drill by needs the can_explore permission only for the "Edit chart" button. If we made that button conditionally disabled if user doesn't have access to Explore and sent the post request in line 90 in |
That's right. Drill by does not need I would aim to merge this PR as it is and continue in a follow-up. |
...t/migrations/versions/2024-02-07_17-13_87d38ad83218_migrate_can_view_and_drill_permission.py
Show resolved
Hide resolved
|
Hi I think that i found a small bug can you check it? |
|
hello @geido
Is there a plan to allow end-users to be able to Drill with having Thanks |
|
For the sake of the thread, @icrc-fdeniger opened an issue regarding that permission question: #27900 |
Hi @puru-khedre. You can always check the CHANGELOG to see if a particular PR was included in a release. This one was included in 4.0.0 as you can see here. |
mistercrunch
added
🏷️ bot
Thanks @michael-s-molina |
|
First of all, thank you for your answer.
- I enter the system with the admin role. all roles are open. Dimension
columns are marked for my fields in the dataset.
[image: image.png]
- FEATURE_FLAGS settings in config py file are as below.
FEATURE_FLAGS = {
"DASHBOARD_NATIVE_FILTERS": True,
"DASHBOARD_CROSS_FILTERS": True,
"DASHBOARD_DRILL_DOWN": True,
"DRILL_TO_DETAIL": True,
"DRILL_BY": True
}
-And I have all roles for my admin user
but when I check the my graps I cant see drill down options as below.. How
can I do it..Thanks
[image: image.png]
so I added the self.add_permission_view_menu("can_view_and_drill",
"Dashboard") under the def create_custom_permissions(self) -> None: like
you said. There is no "can_view_and_drill" in the rolls. What can I do.
Thanks..??
Evan Rusackas ***@***.***>, 2 May 2024 Per, 21:14 tarihinde
şunu yazdı:
… ***@***.**** commented on this pull request.
------------------------------
In superset/security/manager.py
<#27029 (comment)>:
> @@ -726,7 +726,8 @@ def create_custom_permissions(self) -> None:
self.add_permission_view_menu("can_csv", "Superset")
self.add_permission_view_menu("can_share_dashboard", "Superset")
self.add_permission_view_menu("can_share_chart", "Superset")
- self.add_permission_view_menu("can_view_and_drill", "Dashboard")
hi I have all roles. And can not see drill down menu in superset graphs.
Why?
Just to ask basic support questions, are you not seeing them in ANY chart,
or just not EVERY chart? They're still not supported everywhere. They also
appear on right-cick, which might not be the most discoverable thing in the
world :)
—
Reply to this email directly, view it on GitHub
<#27029 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQFE5QEYTBOMEO67QYCAPKTZAJ7CDAVCNFSM6AAAAABC4GTVZ6VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDAMZWGU2DCNRTGQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Hello @agunoglu |
|
Hi @geido , I want to understand that why can_view_and_drill permission was removed. Issue that I am facing is, I wish to have a read-user who can just view chart table and just drill. I don't want to expose the query/edit/chart. That was the very good use case which you implemented, so why you removed it, also How can I again implement my case? |
|
|
Hi @geido, I have the same problem here: I can enable
Cannot use drill-by/drill-to without can explore on Superset permission #27900 |
Yes, it does not. I was referring to the first part of the previous comment. Feel free to implement more granular permissions. Happy to help with reviews and guidance. Thanks! |
|
hi
there is no permission for can_view_chart_as_table in my superset role
permissions. How can I add it.
[image: image.png]
Geido ***@***.***>, 31 Tem 2024 Çar, 17:42 tarihinde şunu
yazdı:
… Hi @geido <https://github.com/geido>, can_view_chart_as_table does not
produce the same result as drill to detail, as shown in the image.
I have the same problem here: I can enable drill to detail by adding the can
read on Explore and can samples on Datasource permissions. However, it's
noted that the can explore permission is currently mandatory but gives too
many privileges.
can_view_chart_as_table
Screenshot.2024-07-31.at.10.01.12.png (view on web)
<https://github.com/user-attachments/assets/ebdb4f1f-bfd2-4509-8de3-636592e6168e>
drill to detail
Screenshot.2024-07-31.at.09.56.52.png (view on web)
<https://github.com/user-attachments/assets/eca8fb75-b840-43c6-8558-d4462104daeb>
Cannot use drill-by/drill-to without can explore on Superset permission
#27900 <#27900>
chore: Add granular permissions for actions in Dashboard #27029
<#27029>
Slack thread
<https://apache-superset.slack.com/archives/C0170U650CQ/p1721237807169809>
Yes, it does not. I was referring to the first part of the previous
comment. Feel free to implement more granular permissions. Happy to help
with reviews and guidance. Thanks!
—
Reply to this email directly, view it on GitHub
<#27029 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQFE5QFA5EKO2PFHX57O62LZPDZW7AVCNFSM6AAAAABC4GTVZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRQGY4DQNRZHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@agunoglu hard to tell without a bit more info. Are you running on latest master? Have you updated your Superset instance to apply the new permissions? |
|
we don't use the latest version for the superset. After which version it is
active. Thank you very much
Geido ***@***.***>, 1 Ağu 2024 Per, 16:59 tarihinde şunu
yazdı:
… @agunoglu <https://github.com/agunoglu> hard to tell without a bit more
info. Are you running on latest master? Have you updated your Superset
instance to apply the new permissions?
—
Reply to this email directly, view it on GitHub
<#27029 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQFE5QHY37URRYSBRPU4WBLZPI5LVAVCNFSM6AAAAABC4GTVZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRTGE2DSNBQGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
SUMMARY
This PR introduced a new permission to enable view and drilling actions on the Dashboard independently of the
can_explorepermission #26798. However, from recent feedback it is clear that the need is to have more granularity for these permissions.This PR introduces the following permissions:
can_view_chart_as_tableto enable the "View as table" option in the chart actions in a Dashboardcan_view_queryto enable the "View query" option in the chart actions in a DashboardThis PR also implements the following changes:
can_view_and_drillintroduced in chore: Add permission to view and drill on Dashboard context #26798.can_exploreandcan_samplesascan_samplesis a required backend permission for Drill to detail to workcan_exploreandcan_write_ExploreFormDataRestAPIas the latter is a required backend permissions for the submission of form data when interacting with Drill byFixes #26762
Fixes #25630
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N.A.
TESTING INSTRUCTIONS
can_view_chart_as_tableshould see the View as table option without can_explore permissioncan_view_queryshould see the View query option without can_explore permissioncan_samplesshould not be able to see Drill to detailcan_write_ExploreFormDataRestAPIshould not see Drill byADDITIONAL INFORMATION
can explore on Supersetpermission #25630 Gamma role does not have permissions to drill #26762