[Feature branch] Split data access and query builder access (metabase…

…#41581) Co-authored-by: Noah Moss <[email protected]> Co-authored-by: Noah Moss <[email protected]> Co-authored-by: Nick Fitzpatrick <[email protected]> Co-authored-by: John Swanson <[email protected]> Co-authored-by: Sloan Sparger <[email protected]> Co-authored-by: Sloan Sparger <[email protected]>
marregui · Apr 19, 2024 · 79583b9 · 79583b9
1 parent e6fa8f9
commit 79583b9
Show file tree

Hide file tree

Showing 164 changed files with 6,679 additions and 2,917 deletions.
diff --git a/e2e/snapshot-creators/default.cy.snap.js b/e2e/snapshot-creators/default.cy.snap.js
@@ -7,7 +7,14 @@ import {
   SAMPLE_DB_TABLES,
   METABASE_SECRET_KEY,
 } from "e2e/support/cypress_data";
-import { snapshot, restore, withSampleDatabase } from "e2e/support/helpers";
+import {
+  snapshot,
+  restore,
+  withSampleDatabase,
+  setTokenFeatures,
+  describeEE,
+  deleteToken,
+} from "e2e/support/helpers";
 
 const {
   STATIC_ORDERS_ID,
@@ -63,6 +70,29 @@ describe("snapshots", () => {
     });
   });
 
+  describeEE("default-ee", () => {
+    it("default-ee", () => {
+      restore("blank");
+      setup();
+      updateSettings();
+      setTokenFeatures("all");
+      addUsersAndGroups(true);
+      createCollections();
+      withSampleDatabase(SAMPLE_DATABASE => {
+        ensureTableIdsAreCorrect(SAMPLE_DATABASE);
+        hideNewSampleTables(SAMPLE_DATABASE);
+        createQuestionsAndDashboards(SAMPLE_DATABASE);
+        createModels(SAMPLE_DATABASE);
+        cy.writeFile(
+          "e2e/support/cypress_sample_database.json",
+          SAMPLE_DATABASE,
+        );
+      });
+      deleteToken();
+      snapshot("default-ee");
+    });
+  });
+
   function setup() {
     cy.request("GET", "/api/session/properties").then(
       ({ body: properties }) => {
@@ -102,26 +132,28 @@ describe("snapshots", () => {
     });
   }
 
-  function addUsersAndGroups() {
+  function addUsersAndGroups(isEE = false) {
+    const lowest_read_data_permission = isEE ? "blocked" : "unrestricted";
+
     // groups
     cy.request("POST", "/api/permissions/group", { name: "collection" }).then(
       ({ body }) => {
-        expect(body.id).to.eq(COLLECTION_GROUP); // 4
+        expect(body.id).to.eq(COLLECTION_GROUP); // 3
       },
     );
     cy.request("POST", "/api/permissions/group", { name: "data" }).then(
       ({ body }) => {
-        expect(body.id).to.eq(DATA_GROUP); // 5
+        expect(body.id).to.eq(DATA_GROUP); // 4
       },
     );
     cy.request("POST", "/api/permissions/group", { name: "readonly" }).then(
       ({ body }) => {
-        expect(body.id).to.eq(READONLY_GROUP); // 6
+        expect(body.id).to.eq(READONLY_GROUP); // 5
       },
     );
     cy.request("POST", "/api/permissions/group", { name: "nosql" }).then(
       ({ body }) => {
-        expect(body.id).to.eq(NOSQL_GROUP); // 7
+        expect(body.id).to.eq(NOSQL_GROUP); // 6
       },
     );
 
@@ -135,19 +167,35 @@ describe("snapshots", () => {
 
     cy.updatePermissionsGraph({
       [ALL_USERS_GROUP]: {
-        [SAMPLE_DB_ID]: { data: { schemas: "none", native: "none" } },
+        [SAMPLE_DB_ID]: {
+          // set the data permission so the UI doesn't warn us that "all users has higher permissions than X"
+          "view-data": lowest_read_data_permission,
+          "create-queries": "no",
+        },
       },
       [DATA_GROUP]: {
-        [SAMPLE_DB_ID]: { data: { schemas: "all", native: "write" } },
+        [SAMPLE_DB_ID]: {
+          "view-data": "unrestricted",
+          "create-queries": "query-builder-and-native",
+        },
       },
       [NOSQL_GROUP]: {
-        [SAMPLE_DB_ID]: { data: { schemas: "all", native: "none" } },
+        [SAMPLE_DB_ID]: {
+          "view-data": "unrestricted",
+          "create-queries": "query-builder",
+        },
       },
       [COLLECTION_GROUP]: {
-        [SAMPLE_DB_ID]: { data: { schemas: "none", native: "none" } },
+        [SAMPLE_DB_ID]: {
+          "view-data": lowest_read_data_permission,
+          "create-queries": "no",
+        },
       },
       [READONLY_GROUP]: {
-        [SAMPLE_DB_ID]: { data: { schemas: "none", native: "none" } },
+        [SAMPLE_DB_ID]: {
+          "view-data": lowest_read_data_permission,
+          "create-queries": "no",
+        },
       },
     });
 

diff --git a/e2e/support/commands/permissions/sandboxTable.js b/e2e/support/commands/permissions/sandboxTable.js
@@ -20,14 +20,17 @@ Cypress.Commands.add(
       const attr = Object.keys(attribute_remappings).join(", "); // Account for the possiblity of passing multiple user attributes
 
       cy.log(`Sandbox "${name}" table on "${attr}"`);
-      cy.updatePermissionsSchemas({
-        schemas: {
-          [schema]: {
-            [table_id]: { query: "segmented", read: "all" },
+      cy.updatePermissionsGraph({
+        [group_id]: {
+          [db_id]: {
+            "view-data": {
+              [schema]: {
+                [table_id]: "sandboxed",
+              },
+            },
+            "create-queries": "query-builder",
           },
         },
-        user_group: group_id,
-        database_id: db_id,
       });
       cy.request("POST", "/api/mt/gtap", {
         attribute_remappings,

diff --git a/e2e/support/helpers/e2e-enterprise-helpers.js b/e2e/support/helpers/e2e-enterprise-helpers.js
@@ -65,3 +65,19 @@ export const setTokenFeatures = featuresScope => {
     },
   });
 };
+
+export const deleteToken = () => {
+  if (!isEE) {
+    throw new Error(
+      "You must run Metabase® Enterprise Edition™ for token to make sense.\nMake sure you have `MB_EDITION=ee` in your environment variables.",
+    );
+  }
+  return cy.request({
+    method: "PUT",
+    url: "/api/setting/premium-embedding-token",
+    failOnStatusCode: false,
+    body: {
+      value: null,
+    },
+  });
+};
diff --git a/e2e/test/scenarios/actions/model-actions.cy.spec.js b/e2e/test/scenarios/actions/model-actions.cy.spec.js
@@ -243,12 +243,19 @@ describe(
       // to test database picker behavior in the action editor
       setActionsEnabledForDB(SAMPLE_DB_ID);
 
+      setTokenFeatures("all");
       cy.updatePermissionsGraph({
         [USER_GROUPS.ALL_USERS_GROUP]: {
-          [WRITABLE_DB_ID]: { data: { schemas: "none", native: "none" } },
+          [WRITABLE_DB_ID]: {
+            "view-data": "blocked",
+            "create-queries": "no",
+          },
         },
         [USER_GROUPS.DATA_GROUP]: {
-          [WRITABLE_DB_ID]: { data: { schemas: "all", native: "write" } },
+          [WRITABLE_DB_ID]: {
+            "view-data": "unrestricted",
+            "create-queries": "query-builder-and-native",
+          },
         },
       });
 
@@ -809,7 +816,16 @@ describe(
       cy.updatePermissionsGraph(
         {
           [USER_GROUPS.ALL_USERS_GROUP]: {
-            [WRITABLE_DB_ID]: { data: { schemas: "all", native: "write" } },
+            [WRITABLE_DB_ID]: {
+              "view-data": "impersonated",
+              "create-queries": "query-builder-and-native",
+            },
+          },
+          // By default, all groups get `unrestricted` access that will override the impersonation.
+          [USER_GROUPS.COLLECTION_GROUP]: {
+            [WRITABLE_DB_ID]: {
+              "view-data": "blocked",
+            },
           },
         },
         [

diff --git a/e2e/test/scenarios/collections/uploads.cy.spec.js b/e2e/test/scenarios/collections/uploads.cy.spec.js
@@ -255,9 +255,7 @@ describe("permissions", () => {
     cy.updatePermissionsGraph({
       1: {
         [WRITABLE_DB_ID]: {
-          data: {
-            schemas: "block",
-          },
+          "view-data": "blocked",
         },
       },
     });
@@ -300,16 +298,13 @@ describe("permissions", () => {
       cy.updatePermissionsGraph({
         [ALL_USERS_GROUP]: {
           [WRITABLE_DB_ID]: {
-            data: {
-              schemas: "block",
-            },
+            "view-data": "blocked",
           },
         },
         [NOSQL_GROUP]: {
           [WRITABLE_DB_ID]: {
-            data: {
-              schemas: "all",
-            },
+            "view-data": "unrestricted",
+            "create-queries": "query-builder",
           },
         },
       });

diff --git a/e2e/test/scenarios/dashboard-filters/dashboard-filters-source.cy.spec.js b/e2e/test/scenarios/dashboard-filters/dashboard-filters-source.cy.spec.js
@@ -250,7 +250,7 @@ describe("scenarios > dashboard > filters", { tags: "@slow" }, () => {
 
 describeEE("scenarios > dashboard > filters", () => {
   beforeEach(() => {
-    restore();
+    restore("default-ee");
     cy.signInAsAdmin();
     setTokenFeatures("all");
   });

diff --git a/e2e/test/scenarios/dashboard/reproductions/29076-dashboard-card-drill-sandbox.cy.spec.js b/e2e/test/scenarios/dashboard/reproductions/29076-dashboard-card-drill-sandbox.cy.spec.js
@@ -1,5 +1,7 @@
+import { USER_GROUPS, SAMPLE_DB_ID } from "e2e/support/cypress_data";
 import { SAMPLE_DATABASE } from "e2e/support/cypress_sample_database";
 import { ORDERS_DASHBOARD_ID } from "e2e/support/cypress_sample_instance_data";
+const { ALL_USERS_GROUP, COLLECTION_GROUP } = USER_GROUPS;
 import {
   describeEE,
   restore,
@@ -11,12 +13,26 @@ const { PRODUCTS_ID, PRODUCTS } = SAMPLE_DATABASE;
 
 describeEE("issue 29076", () => {
   beforeEach(() => {
-    restore();
+    restore("default-ee");
 
     cy.intercept("/api/dashboard/*/dashcard/*/card/*/query").as("cardQuery");
 
     cy.signInAsAdmin();
     setTokenFeatures("all");
+    cy.updatePermissionsGraph({
+      [ALL_USERS_GROUP]: {
+        [SAMPLE_DB_ID]: {
+          "view-data": "blocked",
+          "create-queries": "no",
+        },
+      },
+      [COLLECTION_GROUP]: {
+        [SAMPLE_DB_ID]: {
+          "view-data": "unrestricted",
+          "create-queries": "query-builder",
+        },
+      },
+    });
     cy.sandboxTable({
       table_id: PRODUCTS_ID,
       attribute_remappings: {
@@ -32,7 +48,6 @@ describeEE("issue 29076", () => {
 
     // eslint-disable-next-line no-unscoped-text-selectors -- deprecated usage
     cy.findByText("Orders").click();
-    cy.wait("@cardQuery");
     // eslint-disable-next-line no-unscoped-text-selectors -- deprecated usage
     cy.findByText("Visualization").should("be.visible");
   });

diff --git a/e2e/test/scenarios/native-filters/reproductions/15163.cy.spec.js b/e2e/test/scenarios/native-filters/reproductions/15163.cy.spec.js
@@ -76,7 +76,10 @@ const dashboardDetails = {
         if (test === "nosql") {
           cy.updatePermissionsGraph({
             [COLLECTION_GROUP]: {
-              1: { data: { schemas: "all", native: "none" } },
+              1: {
+                "view-data": "unrestricted",
+                "create-queries": "query-builder",
+              },
             },
           });
         }

diff --git a/e2e/test/scenarios/native-filters/sql-filters-source.cy.spec.js b/e2e/test/scenarios/native-filters/sql-filters-source.cy.spec.js
@@ -349,7 +349,7 @@ describe("scenarios > filters > sql filters > values source", () => {
 
 describeEE("scenarios > filters > sql filters > values source", () => {
   beforeEach(() => {
-    restore();
+    restore("default-ee");
     cy.signInAsAdmin();
     setTokenFeatures("all");
     cy.intercept("POST", "/api/dataset/parameter/values").as("parameterValues");
@@ -361,7 +361,10 @@ describeEE("scenarios > filters > sql filters > values source", () => {
   it("should sandbox parameter values in questions", () => {
     cy.updatePermissionsGraph({
       [COLLECTION_GROUP]: {
-        [SAMPLE_DB_ID]: { data: { schemas: "all" } },
+        [SAMPLE_DB_ID]: {
+          "view-data": "unrestricted",
+          "create-queries": "query-builder",
+        },
       },
     });
 

diff --git a/e2e/test/scenarios/native/native-database-source.cy.spec.js b/e2e/test/scenarios/native/native-database-source.cy.spec.js
@@ -4,6 +4,7 @@ import {
   popover,
   addPostgresDatabase,
   POPOVER_ELEMENT,
+  setTokenFeatures,
 } from "e2e/support/helpers";
 
 const PG_DB_ID = 2;
@@ -180,9 +181,13 @@ describe(
 
       cy.signOut();
       cy.signInAsAdmin();
+      setTokenFeatures("all");
       cy.updatePermissionsGraph({
         [DATA_GROUP]: {
-          [SAMPLE_DB_ID]: { data: { schemas: "none", native: "none" } },
+          [SAMPLE_DB_ID]: {
+            "view-data": "blocked",
+            "create-queries": "no",
+          },
         },
       });
 

diff --git a/e2e/test/scenarios/native/native.cy.spec.js b/e2e/test/scenarios/native/native.cy.spec.js
@@ -377,11 +377,20 @@ describe("no native access", { tags: ["@external", "@quarantine"] }, () => {
     cy.intercept("/api/database?saved=true").as("database");
     cy.updatePermissionsGraph({
       [USER_GROUPS.ALL_USERS_GROUP]: {
-        [WRITABLE_DB_ID]: { data: { schemas: "none", native: "none" } },
+        [WRITABLE_DB_ID]: {
+          "view-data": "blocked",
+          "create-queries": "no",
+        },
       },
       [USER_GROUPS.NOSQL_GROUP]: {
-        [SAMPLE_DB_ID]: { data: { schemas: "all", native: "write" } },
-        [WRITABLE_DB_ID]: { data: { schemas: "all", native: "none" } },
+        [SAMPLE_DB_ID]: {
+          "view-data": "unrestricted",
+          "create-queries": "query-builder-and-native",
+        },
+        [WRITABLE_DB_ID]: {
+          "view-data": "unrestricted",
+          "create-queries": "query-builder",
+        },
       },
     });