Skip to content

Commit

Permalink
Support schema permissions (apache#8219)
Browse files Browse the repository at this point in the history
* Build support for schema access in Superset and SQLab

* Lint
* Test for old and new flask
* Black formatting
* Cleanup modified files
* Support schema permissions
* Add migration
* Make it work for slices as well
* TODO and remove unused field
* Apply schema access check to dashboards as well

Cleaner schema permissions check

Fetch schema permissions in 1 query

Bugfix

Better datasource check

Use security manager for permissions checks and remove dead code

Properly handle anon user

Add database permissions on the database updates

Fix schema filtering

Lint / flake changes

Increase cypress request timeout

Run black

Resolve multiple alembic heads

* Use set comprehensions

* Fixes for the pylint
  • Loading branch information
bkyryliuk authored and mistercrunch committed Dec 3, 2019
1 parent 43f637e commit 003e98c
Show file tree
Hide file tree
Showing 14 changed files with 772 additions and 135 deletions.
3 changes: 2 additions & 1 deletion superset/assets/cypress.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
{
"baseUrl": "http://localhost:8081",
"chromeWebSecurity": false,
"defaultCommandTimeout": 10000,
"defaultCommandTimeout": 20000,
"requestTimeout": 20000,
"ignoreTestFiles": ["**/!(*.test.js)"],
"projectId": "fbf96q",
"video": false,
Expand Down
1 change: 1 addition & 0 deletions superset/connectors/base/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ class BaseDatasource(AuditMixinNullable, ImportMixin):
cache_timeout = Column(Integer)
params = Column(String(1000))
perm = Column(String(1000))
schema_perm = Column(String(1000))

sql: Optional[str] = None
owners: List[User]
Expand Down
17 changes: 14 additions & 3 deletions superset/connectors/connector_registry.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
from collections import OrderedDict
from typing import Dict, List, Optional, Set, Type, TYPE_CHECKING

from sqlalchemy import or_
from sqlalchemy.orm import Session, subqueryload

if TYPE_CHECKING:
Expand Down Expand Up @@ -75,13 +76,23 @@ def get_datasource_by_name(

@classmethod
def query_datasources_by_permissions(
cls, session: Session, database: "Database", permissions: Set[str]
cls,
session: Session,
database: "Database",
permissions: Set[str],
schema_perms: Set[str],
) -> List["BaseDatasource"]:
# TODO(bogdan): add unit test
datasource_class = ConnectorRegistry.sources[database.type]
return (
session.query(datasource_class)
.filter_by(database_id=database.id)
.filter(datasource_class.perm.in_(permissions))
.filter(
or_(
datasource_class.perm.in_(permissions),
datasource_class.schema_perm.in_(schema_perms),
)
)
.all()
)

Expand Down Expand Up @@ -111,5 +122,5 @@ def query_datasources_by_name(
) -> List["BaseDatasource"]:
datasource_class = ConnectorRegistry.sources[database.type]
return datasource_class.query_datasources_by_name(
session, database, datasource_name, schema=None
session, database, datasource_name, schema=schema
)
7 changes: 5 additions & 2 deletions superset/connectors/druid/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,10 @@ def unique_name(self) -> str:
return self.verbose_name or self.cluster_name


sa.event.listen(DruidCluster, "after_insert", security_manager.set_perm)
sa.event.listen(DruidCluster, "after_update", security_manager.set_perm)


class DruidColumn(Model, BaseColumn):
"""ORM model for storing Druid datasource column metadata"""

Expand Down Expand Up @@ -529,8 +533,7 @@ def schema(self) -> Optional[str]:
else:
return None

@property
def schema_perm(self) -> Optional[str]:
def get_schema_perm(self) -> Optional[str]:
"""Returns schema permission if present, cluster one otherwise."""
return security_manager.get_schema_perm(self.cluster, self.schema)

Expand Down
3 changes: 1 addition & 2 deletions superset/connectors/sqla/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -459,8 +459,7 @@ def link(self) -> Markup:
anchor = f'<a target="_blank" href="{self.explore_url}">{name}</a>'
return Markup(anchor)

@property
def schema_perm(self) -> Optional[str]:
def get_schema_perm(self) -> Optional[str]:
"""Returns schema permission if present, database one otherwise."""
return security_manager.get_schema_perm(self.database, self.schema)

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
"""serialize_schema_permissions.py
Revision ID: 5afa9079866a
Revises: db4b49eb0782
Create Date: 2019-09-11 21:49:00.608346
"""


# revision identifiers, used by Alembic.
from alembic import op
from sqlalchemy import Column, ForeignKey, Integer, String
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.orm import relationship

from superset import db

revision = "5afa9079866a"
down_revision = "db4b49eb0782"

Base = declarative_base()


class Sqlatable(Base):
__tablename__ = "tables"

id = Column(Integer, primary_key=True)
perm = Column(String(1000))
schema_perm = Column(String(1000))
schema = Column(String(255))
database_id = Column(Integer, ForeignKey("dbs.id"), nullable=False)
database = relationship("Database", foreign_keys=[database_id])


class Slice(Base):
__tablename__ = "slices"

id = Column(Integer, primary_key=True)
datasource_id = Column(Integer)
datasource_type = Column(String(200))
schema_perm = Column(String(1000))


class Database(Base):
__tablename__ = "dbs"

id = Column(Integer, primary_key=True)
database_name = Column(String(250))
verbose_name = Column(String(250), unique=True)


def upgrade():
op.add_column(
"datasources", Column("schema_perm", String(length=1000), nullable=True)
)
op.add_column("slices", Column("schema_perm", String(length=1000), nullable=True))
op.add_column("tables", Column("schema_perm", String(length=1000), nullable=True))

bind = op.get_bind()
session = db.Session(bind=bind)
for t in session.query(Sqlatable).all():
db_name = (
t.database.verbose_name
if t.database.verbose_name
else t.database.database_name
)
if t.schema:
t.schema_perm = f"[{db_name}].[{t.schema}]"
table_slices = (
session.query(Slice)
.filter_by(datasource_type="table")
.filter_by(datasource_id=t.id)
.all()
)
for s in table_slices:
s.schema_perm = t.schema_perm
session.commit()


def downgrade():
op.drop_column("tables", "schema_perm")
op.drop_column("datasources", "schema_perm")
op.drop_column("slices", "schema_perm")
2 changes: 2 additions & 0 deletions superset/models/core.py
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ def set_related_perm(mapper, connection, target):
ds = db.session.query(src_class).filter_by(id=int(id_)).first()
if ds:
target.perm = ds.perm
target.schema_perm = ds.schema_perm


def copy_dashboard(mapper, connection, target):
Expand Down Expand Up @@ -172,6 +173,7 @@ class Slice(Model, AuditMixinNullable, ImportMixin):
description = Column(Text)
cache_timeout = Column(Integer)
perm = Column(String(1000))
schema_perm = Column(String(1000))
owners = relationship(security_manager.user_model, secondary=slice_user)

export_fields = [
Expand Down
Loading

0 comments on commit 003e98c

Please sign in to comment.