From 29f451228ded5d5c1020ebf178332c86cea899b7 Mon Sep 17 00:00:00 2001 From: John Bodley Date: Thu, 9 Jun 2022 23:22:02 -0700 Subject: [PATCH 1/5] chore(rls): Remove passing global username --- superset/connectors/sqla/models.py | 5 +---- superset/security/manager.py | 5 ----- superset/sql_lab.py | 1 - superset/sql_parse.py | 6 ++---- tests/unit_tests/sql_parse_tests.py | 1 - 5 files changed, 3 insertions(+), 15 deletions(-) diff --git a/superset/connectors/sqla/models.py b/superset/connectors/sqla/models.py index 60eff5e6304ab..9bfa3857971ae 100644 --- a/superset/connectors/sqla/models.py +++ b/superset/connectors/sqla/models.py @@ -1135,7 +1135,6 @@ def is_alias_used_in_orderby(col: ColumnElement) -> bool: def get_sqla_row_level_filters( self, template_processor: BaseTemplateProcessor, - username: Optional[str] = None, ) -> List[TextClause]: """ Return the appropriate row level security filters for this table and the @@ -1143,14 +1142,12 @@ def get_sqla_row_level_filters( Flask global namespace. :param template_processor: The template processor to apply to the filters. - :param username: Optional username if there's no user in the Flask global - namespace. :returns: A list of SQL clauses to be ANDed together. """ all_filters: List[TextClause] = [] filter_groups: Dict[Union[int, str], List[TextClause]] = defaultdict(list) try: - for filter_ in security_manager.get_rls_filters(self, username): + for filter_ in security_manager.get_rls_filters(self): clause = self.text( f"({template_processor.process_template(filter_.clause)})" ) diff --git a/superset/security/manager.py b/superset/security/manager.py index b231b93b48655..1a1413d5b564e 100644 --- a/superset/security/manager.py +++ b/superset/security/manager.py @@ -1146,21 +1146,16 @@ def get_guest_rls_filters( def get_rls_filters( self, table: "BaseDatasource", - username: Optional[str] = None, ) -> List[SqlaQuery]: """ Retrieves the appropriate row level security filters for the current user and the passed table. :param BaseDatasource table: The table to check against. - :param Optional[str] username: Optional username if there's no user in the Flask - global namespace. :returns: A list of filters """ if hasattr(g, "user"): user = g.user - elif username: - user = self.find_user(username=username) else: return [] diff --git a/superset/sql_lab.py b/superset/sql_lab.py index 785d16327f7f2..571fd94219aa7 100644 --- a/superset/sql_lab.py +++ b/superset/sql_lab.py @@ -208,7 +208,6 @@ def execute_sql_statement( # pylint: disable=too-many-arguments,too-many-statem parsed_query._parsed[0], # pylint: disable=protected-access database.id, query.schema, - username=get_username(), ) ) ) diff --git a/superset/sql_parse.py b/superset/sql_parse.py index b585810f785a2..d377986f56573 100644 --- a/superset/sql_parse.py +++ b/superset/sql_parse.py @@ -553,7 +553,6 @@ def get_rls_for_table( candidate: Token, database_id: int, default_schema: Optional[str], - username: Optional[str] = None, ) -> Optional[TokenList]: """ Given a table name, return any associated RLS predicates. @@ -586,7 +585,7 @@ def get_rls_for_table( template_processor = dataset.get_template_processor() predicate = " AND ".join( str(filter_) - for filter_ in dataset.get_sqla_row_level_filters(template_processor, username) + for filter_ in dataset.get_sqla_row_level_filters(template_processor) ) if not predicate: return None @@ -601,7 +600,6 @@ def insert_rls( token_list: TokenList, database_id: int, default_schema: Optional[str], - username: Optional[str] = None, ) -> TokenList: """ Update a statement inplace applying any associated RLS predicates. @@ -623,7 +621,7 @@ def insert_rls( elif state == InsertRLSState.SEEN_SOURCE and ( isinstance(token, Identifier) or token.ttype == Keyword ): - rls = get_rls_for_table(token, database_id, default_schema, username) + rls = get_rls_for_table(token, database_id, default_schema) if rls: state = InsertRLSState.FOUND_TABLE diff --git a/tests/unit_tests/sql_parse_tests.py b/tests/unit_tests/sql_parse_tests.py index 1d2c788496af0..98eceebd47136 100644 --- a/tests/unit_tests/sql_parse_tests.py +++ b/tests/unit_tests/sql_parse_tests.py @@ -1409,7 +1409,6 @@ def get_rls_for_table( candidate: Token, database_id: int, default_schema: str, - username: Optional[str] = None, ) -> Optional[TokenList]: """ Return the RLS ``condition`` if ``candidate`` matches ``table``. From 0a8df1e158953a1e3bdbacf9998749a28edee4c7 Mon Sep 17 00:00:00 2001 From: John Bodley <4567245+john-bodley@users.noreply.github.com> Date: Tue, 21 Jun 2022 11:29:48 -0700 Subject: [PATCH 2/5] Update manager.py --- superset/security/manager.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/superset/security/manager.py b/superset/security/manager.py index 1a1413d5b564e..9e215e930a616 100644 --- a/superset/security/manager.py +++ b/superset/security/manager.py @@ -1143,15 +1143,12 @@ def get_guest_rls_filters( ] return [] - def get_rls_filters( - self, - table: "BaseDatasource", - ) -> List[SqlaQuery]: + def get_rls_filters(self, table: "BaseDatasource") -> List[SqlaQuery]: """ Retrieves the appropriate row level security filters for the current user and the passed table. - :param BaseDatasource table: The table to check against. + :param table: The table to check against :returns: A list of filters """ if hasattr(g, "user"): From 2c732746cb24de73721f594244f571a2a53bf87b Mon Sep 17 00:00:00 2001 From: John Bodley <4567245+john-bodley@users.noreply.github.com> Date: Sat, 25 Jun 2022 14:58:09 -0700 Subject: [PATCH 3/5] Update manager.py --- superset/security/manager.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/superset/security/manager.py b/superset/security/manager.py index 9e215e930a616..de71323cdd9f3 100644 --- a/superset/security/manager.py +++ b/superset/security/manager.py @@ -1151,9 +1151,8 @@ def get_rls_filters(self, table: "BaseDatasource") -> List[SqlaQuery]: :param table: The table to check against :returns: A list of filters """ - if hasattr(g, "user"): - user = g.user - else: + + if not (hasattr(g, "user") and g.user is not None): return [] # pylint: disable=import-outside-toplevel @@ -1163,7 +1162,7 @@ def get_rls_filters(self, table: "BaseDatasource") -> List[SqlaQuery]: RowLevelSecurityFilter, ) - user_roles = [role.id for role in self.get_user_roles(user)] + user_roles = [role.id for role in self.get_user_roles(g.user)] regular_filter_roles = ( self.get_session() .query(RLSFilterRoles.c.rls_filter_id) From b7debe176cf1bc47f46ec3363c8042b664b9a0cc Mon Sep 17 00:00:00 2001 From: John Bodley <4567245+john-bodley@users.noreply.github.com> Date: Tue, 5 Jul 2022 10:05:46 -0700 Subject: [PATCH 4/5] Update manager.py --- superset/security/manager.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/superset/security/manager.py b/superset/security/manager.py index de71323cdd9f3..022993bcf5d2c 100644 --- a/superset/security/manager.py +++ b/superset/security/manager.py @@ -1152,7 +1152,7 @@ def get_rls_filters(self, table: "BaseDatasource") -> List[SqlaQuery]: :returns: A list of filters """ - if not (hasattr(g, "user") and g.user is not None): + if not (hasattr(g, "user") and g.user is not None): return [] # pylint: disable=import-outside-toplevel From da4fab6fe3dd4346b56a8613c745fbf19d6965a6 Mon Sep 17 00:00:00 2001 From: John Bodley <4567245+john-bodley@users.noreply.github.com> Date: Tue, 5 Jul 2022 10:18:45 -0700 Subject: [PATCH 5/5] Update manager.py --- superset/security/manager.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/superset/security/manager.py b/superset/security/manager.py index 022993bcf5d2c..39890e0a4d299 100644 --- a/superset/security/manager.py +++ b/superset/security/manager.py @@ -1151,7 +1151,7 @@ def get_rls_filters(self, table: "BaseDatasource") -> List[SqlaQuery]: :param table: The table to check against :returns: A list of filters """ - + if not (hasattr(g, "user") and g.user is not None): return []