Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Gamma users shouldn't be able to create roles #29687

Merged
merged 9 commits into from
Aug 21, 2024
Merged

fix: Gamma users shouldn't be able to create roles #29687

merged 9 commits into from
Aug 21, 2024

Conversation

hughhhh
Copy link
Member

@hughhhh hughhhh commented Jul 24, 2024
edited
Loading

SUMMARY

Currently users with gamma roles are still able to create roles, This PR is made to fix this as well as add test. Reason why this is happening is due to the instantiation of the ModelRestAPI classes happening here https://github.com/dpgaspar/Flask-AppBuilder/blob/2d527aae09eed50fd52c6bf886a2970adb225428/flask_appbuilder/security/sqla/manager.py#L97

To fix it we'll just be adding the new security views names to the ADMIN_ONLY_VIEW_MENUS List in the manager class

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

# logged in as GAMMA
$ curl "http://127.0.0.1:9000/api/v1/security/roles/" \
     -H 'Content-Type: application/json; charset=utf-8' \
     -d $'{
  "name": "new_role"
}'
>> 201

$ curl "http://127.0.0.1:9000/api/v1/security/roles/" \
     -H 'Content-Type: application/json; charset=utf-8' \
     -d $'{
  "name": "new_role"
}'
>> 403

TESTING INSTRUCTIONS

  1. Configure SuperSet to use DB authentication and set FAB_ADD_SECURITY_API = True
  2. Initialize SuperSet; be sure to add an administrator
  3. Launch SuperSet
  4. Browse to SuperSet
  5. Log in as the administrator
  6. Add a new user and grant them only the Gamma role
  7. Log out
  8. Log in as the new user
  9. Browse to the swagger endpoint (/swagger/v1)
  10. Find Security Roles
  11. Expand POST /api/v1/security/roles
  12. Click Try It Out
  13. In the Model schema area provide a name for a new role
  14. Click Execute

ADDITIONAL INFORMATION

  • Has associated issue: SEC-70
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@pull-request-size pull-request-size bot added size/M and removed size/S labels Jul 25, 2024
@github-actions github-actions bot added the api Related to the REST API label Jul 25, 2024
@pull-request-size pull-request-size bot added size/L and removed size/M labels Jul 26, 2024
@hughhhh hughhhh requested a review from dpgaspar July 26, 2024 22:43
@hughhhh
Copy link
Member Author

hughhhh commented Jul 26, 2024

@dpgaspar let me know if this pattern make sense or do you have another suggestion of either overriding the view registration, or adding security checks on the indy endpoints

dpgaspar
dpgaspar reviewed Jul 30, 2024
View reviewed changes
Copy link
Member

@dpgaspar dpgaspar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of overriding register_views can we leverage this instead https://github.com/apache/superset/blob/master/superset/security/manager.py#L226
add the FAB security views

@hughhhh hughhhh changed the title [WIP] SEC-70 - Gamma users shouldn't be able to create roles [WIP] Gamma users shouldn't be able to create roles Jul 30, 2024
@github-actions github-actions bot removed the api Related to the REST API label Jul 31, 2024
@hughhhh hughhhh changed the title [WIP] Gamma users shouldn't be able to create roles fix: Gamma users shouldn't be able to create roles Jul 31, 2024
eschutho
eschutho reviewed Jul 31, 2024
View reviewed changes
tests/integration_tests/security/api_tests.py Outdated
# data=json.dumps({"name": "new_role"}),
# content_type="application/json",
# )
# self.assert403(response)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yey for all the new tests! What should we do with these last two?

Copy link
Member Author

@hughhhh hughhhh Jul 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Going to finishes these up today, mainly wanted to get the adjustment @dpgaspar in and will close these up soon

@hughhhh hughhhh marked this pull request as ready for review August 6, 2024 23:10
@dosubot dosubot bot added api Related to the REST API authentication:access-control Rlated to access control labels Aug 6, 2024
@github-actions github-actions bot removed the api Related to the REST API label Aug 7, 2024
@hughhhh hughhhh force-pushed the SEC-70 branch 2 times, most recently from f35fd4c to cc096fe Compare August 7, 2024 05:37
@pull-request-size pull-request-size bot added size/M and removed size/L labels Aug 7, 2024
hughhhh
hughhhh commented Aug 7, 2024
View reviewed changes
superset/config.py Outdated
@@ -320,6 +320,8 @@ def _try_json_readsha(filepath: str, length: int) -> str | None:
# ex: http://localhost:8080/swagger/v1
FAB_API_SWAGGER_UI = True

FAB_ADD_SECURITY_API = True
Copy link
Member Author

@hughhhh hughhhh Aug 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dpgaspar did we make and update in flask app builder to make this default True? When I recently pulled these were getting KeyError: FAB_ADD_SECURITY_API not found Also I saw that flask app builder has this default True so to allow these test to run I just made this value consistent with what I saw upstream

Can you verify that this is what's happening?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Default is false on FAB: https://github.com/dpgaspar/Flask-AppBuilder/blob/2d527aae09eed50fd52c6bf886a2970adb225428/flask_appbuilder/security/sqla/manager.py#L97

The link your mentioning is an example app

@hughhhh hughhhh requested review from dpgaspar and eschutho August 8, 2024 19:16
dpgaspar
dpgaspar approved these changes Aug 19, 2024
View reviewed changes
Copy link
Member

@dpgaspar dpgaspar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just a couple of non blocking comments

superset/config.py Outdated
@@ -320,6 +320,8 @@ def _try_json_readsha(filepath: str, length: int) -> str | None:
# ex: http://localhost:8080/swagger/v1
FAB_API_SWAGGER_UI = True

FAB_ADD_SECURITY_API = True
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Default is false on FAB: https://github.com/dpgaspar/Flask-AppBuilder/blob/2d527aae09eed50fd52c6bf886a2970adb225428/flask_appbuilder/security/sqla/manager.py#L97

The link your mentioning is an example app

tests/integration_tests/security/api_tests.py Outdated
@with_config({"FAB_ADD_SECURITY_API": True})
def test_get_security_roles_gamma(self):
"""
Security API: Admin should be able to create roles
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: comment is not correct

tests/integration_tests/security/api_tests.py Outdated
@with_config({"FAB_ADD_SECURITY_API": True})
def test_get_security_roles_admin(self):
"""
Security API: Admin should be able to create roles
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Security API: Admin should be able to get roles

@hughhhh hughhhh merged commit 7650c47 into master Aug 21, 2024
33 checks passed
sadpandajoe pushed a commit that referenced this pull request Aug 27, 2024
@hughhhh @sadpandajoe
fix: Gamma users shouldn't be able to create roles (#29687)
fe33689 
(cherry picked from commit 7650c47)
@sadpandajoe sadpandajoe added the v4.1 Label added by the release manager to track PRs to be included in the 4.1 branch label Sep 4, 2024
@rusackas rusackas deleted the SEC-70 branch September 27, 2024 20:54
@github-actions github-actions bot added 🍒 4.1.0 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels labels Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dpgaspar dpgaspar dpgaspar approved these changes

@eschutho eschutho Awaiting requested review from eschutho

Assignees
No one assigned
Labels
authentication:access-control Rlated to access control 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels review:draft size/M v4.1 Label added by the release manager to track PRs to be included in the 4.1 branch 🍒 4.1.0 🍒 4.1.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@hughhhh @dpgaspar @eschutho @mistercrunch @sadpandajoe @michael-s-molina