Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: catalog permission check #29581

Merged
merged 2 commits into from
Jul 13, 2024
Merged

fix: catalog permission check #29581

merged 2 commits into from
Jul 13, 2024

Conversation

betodealmeida
Copy link
Member

@betodealmeida betodealmeida commented Jul 12, 2024
edited
Loading

SUMMARY

Fix a couple issues with the catalog permission check when adding a dataset:

  • When listing catalogs there is an off-by-one error when including catalogs in which the user has schema access. For example, if a database db has 2 catalogs, A and B, if the user has access to the schema db.A.schema1 we should show catalog A in the response from get_catalogs_accessible_by_user. The off by one error makes the method return schema1 instead, which is then discarded because it is not in {A, B}.
  • When fetching tables, if a catalog is not specified (either because "Allow changing catalogs" is disabled, or because the DB doesn't support catalogs) then the schema permission still needs to be built with catalog or default_catalog, since we need the catalog name in the built schema permission even if "Allow changing catalogs" is disabled, otherwise the schema check will fail.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

WIP

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@github-actions github-actions bot added the api Related to the REST API label Jul 12, 2024
@dosubot dosubot bot added the authentication:access-control Rlated to access control label Jul 12, 2024
@github-actions github-actions bot removed the api Related to the REST API label Jul 12, 2024
betodealmeida
betodealmeida commented Jul 12, 2024
View reviewed changes
superset/security/manager.py
@@ -860,7 +860,7 @@ def get_catalogs_accessible_by_user(
if len(parts) == 2 and default_catalog:
accessible_catalogs.add(default_catalog)
elif len(parts) == 3:
accessible_catalogs.add(parts[2])
accessible_catalogs.add(parts[1])
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors.

@betodealmeida betodealmeida merged commit fb15278 into master Jul 13, 2024
35 of 36 checks passed
@rusackas rusackas deleted the fix-catalog-security-manager branch July 16, 2024 22:07
eschutho pushed a commit that referenced this pull request Jul 24, 2024
@betodealmeida @eschutho
fix: catalog permission check (#29581)
4f0e2b7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eschutho eschutho eschutho approved these changes

Assignees
No one assigned
Labels
authentication:access-control Rlated to access control preset-io size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@betodealmeida @eschutho