-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: datasource access to allow more granular access to tables on SQL Lab #18064
feat: datasource access to allow more granular access to tables on SQL Lab #18064
Conversation
1283be9
to
7c7363e
Compare
Codecov Report
@@ Coverage Diff @@
## master #18064 +/- ##
==========================================
- Coverage 66.34% 66.16% -0.18%
==========================================
Files 1569 1588 +19
Lines 61685 62480 +795
Branches 6240 6240
==========================================
+ Hits 40927 41343 +416
- Misses 19161 19540 +379
Partials 1597 1597
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
Hey @Painyjames it's great that you went forward and implemented this. Let me ping a few people who can review this PR! |
7c7363e
to
36ecd8b
Compare
/testenv up |
@betodealmeida Ephemeral environment spinning up at http://54.200.220.32:8080. Credentials are |
I created a test user But I wasn't able to query the table: SELECT * FROM examples.messages On the browser console I can see the error: {
"errors": [
{
"message": "You need access to the following tables: `examples.messages`,\n `all_database_access` or `all_datasource_access` permission",
"error_type": "TABLE_SECURITY_ACCESS_ERROR",
"extra": {
"link": "",
"tables": [
"examples.messages"
]
}
}
]
} Maybe @dpgaspar can shed some light here? |
36ecd8b
to
37bb936
Compare
I think the reason why this might not work is because the permission is In the acceptance tests we have against our patched superset container, we have the following:
This works fine cause we only have one schema on our database, but we wouldn't know what would happen if we had several schemas with the same table on the same database. In any case, this is still better than having only the schema permission that would grant access to all the tables under that schema, but honestly maybe we should consider generating permissions which are like this:
|
I've just test it out on the test environment and, even though couldn't load the schema, I was able to run a SQL statement against the allowed table. |
37bb936
to
cefdc6b
Compare
cefdc6b
to
1fa370c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quick pass, left a comment. This is a delicate change, we should make sure this is backward compatible
schema_name = self.default_schema_backend_map[example_db.backend] | ||
uri = f"superset/tables/{example_db.id}/{schema_name}/{table_name}/" | ||
rv = self.client.get(uri) | ||
self.assertEqual(rv.status_code, 200) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you add a test where the table is not allowed also?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added 👍
cc42159
to
c5ddcfc
Compare
@villebro @betodealmeida @zhaoyongjie are you guys happy with this PR? :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Really nice improvement! I left a minor readability comment, but the changes LGTM at face value. I agree with @dpgaspar that this is a delicate change, so we should make sure to test this properly. I will do some testing tomorrow.
/testenv up |
@villebro Ephemeral environment spinning up at http://35.87.122.84:8080. Credentials are |
@Painyjames I just spun up an ephemeral envirnonment for testing - if it's not too much trouble, do you think it would be possible to add a few test users with relevant perms (at leat one with and one without datasource access) and instructions for testing so we can validate the changes here? |
Worth mentioning that, with the datasource access user, somehow I cannot select the schema and table on the dropdown lists, although querying the allowed datasource is still possible. |
I believe this is an unrelated bug and might be resolved by #18564 Edit: it appears to be a perm thing after all. Let me see check the best way to handle this |
in the issue, the requirement was to allow querying on physical table on db (without need to create dataset) but datasource permission here is used for dataset layer in superset. |
Also I think the reason it doesn't show schema in the dropdown for sqlite is when examples are loaded in sqlite, this attribute |
@mayurnewase @villebro is there any way this can go ahead with out the sql lite fix? just to know if there's going to be a dependency on that issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested and I agree we can leave the sqlite issue to be fixed in a follow-up PR. As the added functionality is well in line with the current logic, I feel this is good to go. @mayurnewase do you feel there's risk in merging this? I would also love to get an approval from @dpgaspar and/or @betodealmeida before merging.
I tested on postgresql and worked as intended. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no blocking suggestion, other LGTM.
Co-authored-by: Yongjie Zhao <yongjiezhao@apache.org>
@Painyjames Could you fix this code style issue? thanks! |
Ephemeral environment shutdown and build artifacts deleted. |
@@ -25,21 +25,28 @@ | |||
|
|||
class DatabaseFilter(BaseFilter): | |||
# TODO(bogdan): consider caching. | |||
def schema_access_databases(self) -> Set[str]: # noqa pylint: disable=no-self-use | |||
|
|||
def can_access_databases( # noqa pylint: disable=no-self-use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: any reason why this can't be @staticmethod
?
@@ -237,13 +242,14 @@ def get_schema_perm( # pylint: disable=no-self-use | |||
|
|||
return None | |||
|
|||
def unpack_schema_perm( # pylint: disable=no-self-use | |||
def unpack_database_and_schema( # pylint: disable=no-self-use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: any reason why these can't be @staticmethod
?
SUMMARY
We'd like to have a more granular access to tables on SQL Lab, which currently can only be done at schema or database level. This PR would then tackle the story we raised a couple of days ago.
TESTING INSTRUCTIONS
Assign a datasource permission to a role and check that users with that role can only query that particular datasource.
ADDITIONAL INFORMATION