-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SIP-126] Fine-grained access control to Superset entities #28021
Comments
Btw, I already have a working branch for this, so happy to open it up as a PR for y'all to test (I just need to rebase it). |
Would it be the DASHBOARD_RBAC flag that enables this option? If so, would that flag and the role-based viewership be deprecated as well? |
I assume both models will be supported for now then, and this CLI would be removed as part of the 5.0 deprecation and 6.0 removal plan? Then we would force the migration in 6.0? |
I agree that Users and Groups seems sufficient... Role-based access seems like an unnecessary complication, if there's a way out of supporting that. 🤔 |
Yes, this feature is a superset of Dashboard RBAC, So we would deprecate and ultimately remove it in a fortcoming major release. |
Yes |
Yes, that's the plan |
As discussed this morning:
Some TODO:
|
Thanks for the summary @mistercrunch 👍 I hadn't thought of looking into existing libraries/frameworks for the ABAC system. I'll look into these. I also agree on getting started on the modelling to make this work for the use cases identified in SIPs 125 and 126, along with future proofing it without stepping on FAB's toes. |
Wondering if it's easier to alter this SIP or start over from scratch to make sure everything is captured. Let me give it a quick shot with GPT here: SIP-127: Federated Model for RBAC/ABAC/ACL in Apache SupersetMotivationCurrent implementations of RBAC/ABAC in Apache Superset are managed through various models and permissions systems, primarily leveraging Flask-AppBuilder (FAB) for app-level permissions. This split approach introduces complexity in managing data access permissions and results in user interface clutter, inefficient permissions synchronization, and scaling issues. A unified, centralized policy manager is proposed to address these challenges by consolidating all aspects of RBAC, ABAC, and ACL within Superset. Goals
Proposed Changes1. Central Policy Manager
2. Hierarchy-Aware Access Control
3. Integration with Existing Frameworks
4. Migration from FAB
5. User Interface Enhancements
6. Implementation Details
Migration Plan and Compatibility
Rejected Alternatives
Request for Comments
This SIP aims to significantly overhaul how permissions are managed in Apache Superset, simplifying the user experience, enhancing security, and providing a framework that can scale effectively in large and dynamic environments. |
GPT did a decent first pass at merging both, @villebro @michael-s-molina feel free to take it form here, though I feel like we should meet again soon |
Thanks @mistercrunch , I think this is moving in a great direction! As the federated security model is a big chunk to digest on its own, I would prefer to keep the fine-grained access control SIP separate from the proposed SIP for a federated security model. This to make sure we can let interested parties review both SIPs in isolation, without having to fully grasp both. Having said that, I'm completely committed to tackling the requirements of the new security model when implementing the fine-grained access control feature. I can open up the ABAC/RBAC/ACL SIP, and make sure these stay in sync. Thoughts @mistercrunch @michael-s-molina ? |
The merging is great @mistercrunch! I also think we should sync again. Maybe even a weekly meeting until we have everything figured out.
@villebro I think it's important to analyze all the requirements together, think about all uses cases, and then start with a simple implementation. When we design the API, the hierarchy of resources, the types of actions we'll support, how we are going to store this information, we need to be able to test our design against all requirements to make sure the consolidated policy manager will work. That being said, we can definitely discuss splitting the SIPs in our next meeting if it's beneficial for reviewers. |
One thing is to do an assessment and maybe rationalization/simplification of the current set of permissions. Maybe a matrix of ViewMenu/Permission in FAB on a clean install would be a nice place to start. |
Agreed, a weekly for now would make sense, as this effort will likely otherwise stall due to to its complexity.
I agree, for the implementation of the new security system, they do need to be assessed together. However, I feel it's important to give room to discuss this new direction of fine-grained entity-level access controls from a pure usability and governance perspective, as many people will likely not be interested, or have the expertise, to go deep into the new security policy proposal. @rusackas @mistercrunch @michael-s-molina would on of you be able to setup a weekly sync for this? I would otherwise, but I don't have a Zoom account to attach to it. The same time slot we had last time should usually work for me, except next Monday, when I could join at 11:30 am PST. |
Sent out an invite... DM me if the time is an issue and we'll sort it out. |
Should we close this out in anticipation of the new/revised one? |
@rusackas sure, I'll try to get the new one started today, I think we got all the necessary requirements mapped yesterday in the sync meeting. |
Motivation
For the main entities, like charts and dashboards, Superset employs an implicit access control model, where access is granted if the user has access to the underlying datasource. While this makes sense from a data access perspective (=you shouldn't be able to view a chart if you can't access the underlying table), it has the following drawbacks:
In addition, other than via Roles, Superset doesn't have a concept of groups that multiple users can belong to. This makes it difficult to manage collective ownership of assets, as each asset has to be explicitly owned by users. While SIP-51 Dashboard Level Access proposed a solution for this, it utilized the Role model for non-permission based access controls, which is a deviation from what FAB Roles are originally intended for. This is also the case for SIP-29 Row Level Security, where roles are being used due to the absence of pure non-permission based groups.
This user-centric access control model becomes particularly challenging in large organizations, where users routinely flow in and out of teams, or become absent, like when a user resigns. In these cases an admin usually has to step in and manually re-assign ownership of an asset to another team member. For this reason, it would be practical to be able to assign ownership of assets to a group or groups, rather to one or many users.
Proposed Change
To introduce granular access controls to Superset entities, and clarify access controls, we propose the following changes:
1. Introduce concept of Editors and Viewers
These new properties will replace the current "Owner" property and implicit access model as follows:
The properties are added to the following models:
For Alerts & Reports and RLS we only introduce Editor for now. The list views are updated to only show entities that the user has access to, either via Editors or Viewers.
2. Add a Group model
The Group, similar to the Role model, will make it possible to group multiple users together. This can be used to create arbitrary groups, e.g. "Finance", "Marketing", "USA", "Finland" etc. Typically, membership to these would be synced from some upstream source, like LDAP, and id token or similar.
3. Add a Subject model
The Editor and Viewer properties would reference a new Subject model, which in turn would reference one of three models:
The Editor/Viewer dropdowns would thus make it possible to assign editorship/viewership not only to Users, but also Groups or Roles. By default, only Users and Groups would be displayed in the dropdowns, but for backward compatibility with
DASHBOARD_RBAC
, it would be possible to also reference Roles as a subject. Exposing Roles would be done via a query filter (disabled by default).New or Changed Public Interfaces
Subject
model is introduced, that has an entry for eachUser
,Group
andRole
editors
andviewers
that are linked to theSubject
model via link tables.Subject
model, which makes it possible to choose Subjects for the Editor and Viewer properties.Migration Plan and Compatibility
published
flag is removed from dashboards, after which any user that has access via the Viewer property is assumed to be able to view the dashboard.Rejected Alternatives
We considered enabling the
DASHBOARD_RBAC
flag. However, this didn't solve the ownership issue. Also, the Role model is not designed for non-permission based groups. Therefore, it felt more intuitive to introduce a new model that can be directly linked with existing enterprise ACL solutions, like LDAP.Screenshots
It would be possible to assign subjects (Users, Roles or Groups) to both the Viewers and Editors property. Notice, how both users and groups can be referenced:
On the list view, you would only be able to see the entities that you have access to, either via the Editor or Viewer property:
The text was updated successfully, but these errors were encountered: