feat(dashboard_rbac): provide data access based on dashboard access

[amitmiran137]

SUMMARY

This is the second milestone in dashboard_rbac support where having a dashboard role entitles the user data access to all of the datasets within a dashboard

following @suddjian recommendation on an existing PR, I decided to take a simpler solution

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

dashboard_data_access.mov

TEST PLAN

0. enable DASHBOARD_RBAC ff
1. create a separated user with Gamma role
2. on dashboard properties give Gamma role access to the dashboard
3. sign in as the gamma user
4. check that he can access the dashboard and all charts all loaded inside

ADDITIONAL INFORMATION

• Has associated issue:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[etr2460]

Is this the default behavior we want to support? I wonder if there's value in creating alternate SecurityManagerPlugins for different use cases, and then if you wanted dashboard_rbac for your deployment, you'd use the specific SecurityManager for that use case.

Mainly asking as I haven't been following this work too closely, and this looks like a fairly specific change (for example it doesn't apply to Druid datasources and assumes that a BaseDatasource is always a SqlaTable)

[amitmiran137]

Is this the default behavior we want to support? I wonder if there's value in creating alternate SecurityManagerPlugins for different use cases, and then if you wanted dashboard_rbac for your deployment, you'd use the specific SecurityManager for that use case.

Mainly asking as I haven't been following this work too closely, and this looks like a fairly specific change (for example it doesn't apply to Druid datasources and assumes that a BaseDatasource is always a SqlaTable)

the entire feature is under the DASHBOARD_RBAC ff
and about the druid datasources, I'll change it to use the BaseDatasource

[etr2460]

it's under the feature flag, but this check is added to the security manager without the feature flag right? should we be checking the flag here too?

[amitmiran137]

it's under the feature flag, but this check is added to the security manager without the feature flag right? should we be checking the flag here too?

thank you for the input, I added the the FF restriction and the more generic support for table

[suddjian]

Nice, much cleaner implementation! Happy to approve once the new method has some tests.

[codecov]

Codecov Report

Merging #13992 (33d64d5) into master (b394733) will decrease coverage by 0.11%.
The diff coverage is 100.00%.

❗ Current head 33d64d5 differs from pull request most recent head 573ed3e. Consider uploading reports for the commit 573ed3e to get more accurate results

@@            Coverage Diff             @@
##           master   #13992      +/-   ##
==========================================
- Coverage   79.76%   79.64%   -0.12%     
==========================================
  Files         942      942              
  Lines       47675    47689      +14     
  Branches     5984     5984              
==========================================
- Hits        38029    37984      -45     
- Misses       9525     9584      +59     
  Partials      121      121              

Flag	Coverage Δ
cypress	56.31% <ø> (-0.01%)	⬇️
hive	?
javascript	69.67% <ø> (ø)
mysql	80.73% <100.00%> (+0.01%)	⬆️
postgres	80.76% <100.00%> (?)
presto	80.48% <100.00%> (+0.01%)	⬆️
python	81.06% <100.00%> (-0.22%)	⬇️
sqlite	80.36% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...src/dashboard/components/PropertiesModal/index.jsx	85.61% <ø> (ø)
superset/views/dashboard/mixin.py	95.00% <ø> (ø)
superset/security/manager.py	91.43% <100.00%> (+0.34%)	⬆️
superset/db_engines/hive.py	0.00% <0.00%> (-82.15%)	⬇️
superset/db_engine_specs/hive.py	74.42% <0.00%> (-16.42%)	⬇️
...dashboard/components/SliceHeaderControls/index.jsx	77.89% <0.00%> (-1.06%)	⬇️
superset/connectors/sqla/models.py	89.69% <0.00%> (-0.25%)	⬇️
superset/utils/core.py	88.70% <0.00%> (-0.13%)	⬇️
superset/views/base_api.py	98.28% <0.00%> (+0.42%)	⬆️
superset/db_engine_specs/postgres.py	96.80% <0.00%> (+1.06%)	⬆️
... and 1 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b394733...573ed3e. Read the comment docs.

[villebro]

First pass comments

[villebro]

A few minor comments. Should we update this string to state that granting a role access to a dashboard will bypass datasource level checks?

superset/superset/views/dashboard/mixin.py

Lines 68 to 69 in 2c96c5b

	"These roles are always applied in addition to restrictions on dataset "
	"level access. "

Or should we rather add a new config flag in which we can specify that dashboard RBAC either overrides or is supplemental to dataset access control?

[amitmiran137]

IMO we should just change the string the explains instead of an additional feature flag.

That way both use cases could live on different dashboards
One dashboard can use roles while the other can use dataset permissions

[suddjian]

Thanks for all the adjustments, looks good!

[tejpochiraju]

Just here to say thanks! I was just starting to implement a rather complex role + user API integration to automate access from our IoT platform. This solves half the problem 👍🏾

[MM-Lehmann]

The fallback (to dataset perms) doesn't seem to work on v1.4.1
When the FF is active, no access is granted to any dashboard unless roles are set in dashboards. It doesn't look like the intended behaviour...

[nikhil-kuyya-talentas]

Thank you for pull request on role based controls. I am trying to extend to our(my company) requirement to chart level.
Can you help me if possible, how these can_access_based_on_dashboard method query is working little bit.
[Update]: got the understanding,
[MySolution]: I have created the custom can_access_based_on_chart and passed extra slice_id parameter.

[nikhil-kuyya-talentas]

should we check the can_access_based_on_dashboard if there is not slice_id in query_context and viz.
given that i don't have access to data menu items.

• These case when i come to explore view by typing the url. <host_name>/superset/explore/table/1/
• Select the explore options for the data and query. now in these it works and fetch the data for me.