Add permissions decider for delegating access controls. #4409
Conversation
timifasubaa
force-pushed
the
add_permissions_decider
branch
3 times, most recently
from
dc60303
to
a722485
Compare
|
|
||
| # System to handle delegated data access. Implement both is_allowed_access() and | ||
| # is_eligible_datasource() to delegate access controls. | ||
| class PermsDecider: |
There was a problem hiding this comment.
Shouldn't that be a static class (not meant to be instantiated)? Also note that in py2 it's always preferable to derive object as in class PermsDecider(object):.
Also this base class should probably be declared outside of config.py (maybe security.py)?
What about simplifying the interface with a simple has_datasource_access(user, datasource) callable that only applies if it's defined?
There was a problem hiding this comment.
Agree that it should be a static class.
The concern is that if it is defined outside of config.py, there's no way to delegate access decisions to a system outside of superset.
Since perms_decider might only apply to a subset of databases ot datasources, If we use has_datasource_access, it's not clear what to return when the datasource in question is out of the jurisdiction of the perms_decider.
There was a problem hiding this comment.
The interface could be such that has_datasource_access could return None to say that it's out of its jurisdiction.
def has_datasource_access(user, datasource):
if in_my_jurisdiction(datasource):
return has_access_according_to_me(user, datasource)
return NoneThere was a problem hiding this comment.
But None is falsey and so it will be easy to mix up access denied with I don't know enough to decide for this datasource (from this db)
superset/viz.py
Outdated
| @@ -307,7 +307,12 @@ def get_df_payload(self, query_obj=None): | |||
| cached_dttm = datetime.utcnow().isoformat().split('.')[0] | |||
| if cache_key and cache and not self.force: | |||
| cache_value = cache.get(cache_key) | |||
| if cache_value: | |||
| perms_decider = config.get('DATA_PERMS_DECIDER') | |||
| perms_decider_disapproves = ( | |||
There was a problem hiding this comment.
viz.py doesn't currently handle authorization, I'd rather avoid scattering the auth logic further across modules. Seems like ideally we'd have most security-related logic in security.py and have views/base.py wrap that up.
There was a problem hiding this comment.
In our case, we don't want to provide info from the cache based on superset permissions. Rather from an outside system. I moved the check from viz.py to explore_json. and set force=true when the perms_decider denied the person access.
timifasubaa
force-pushed
the
add_permissions_decider
branch
from
a722485
to
aaa8398
Compare
timifasubaa
force-pushed
the
add_permissions_decider
branch
from
aaa8398
to
e5f3d05
Compare
|
An alternative solution would be to refactor the datasource permissions to be handled by an abstract security class. The current FAB logic could be be transferred to a derived class (which would be the default implementation), which would allows others to implement their own security model, bypassing FAB completely for datasource access if desired. |
|
Superceeded by #4565 and following PRs |
This PR creates the perms_decider object in the config which gives different deployments the ability to delegate data access control with the
is_eligible_datasource()which decides if the perms_decider can handle access decisions for a datasource andis_allowed_access()which decides if the user has access.I also added in a case where we consult the perms decider before loading from the cache. With the default options, the cache flow doesn't change since is_eligible_datasource returns False.
@fabianmenges @john-bodley @mistercrunch