[security] improving the security scheme #1587
Conversation
mistercrunch
force-pushed
the
security
branch
from
081898f
to
62d643e
Compare
| sm.add_permission_role(gamma, p) | ||
| if PUBLIC_ROLE_LIKE_GAMMA: | ||
| sm.add_permission_role(public, p) | ||
| else: |
There was a problem hiding this comment.
could you add a todo to remove else case once the DB state is fixed ?
There was a problem hiding this comment.
I'm thinking we move to fully control these base roles, if people alter them they will be overwritten. People should create and compose new roles in their environment instead of altering the ones provided by Superset
| sm.add_permission_role(public_role, perm) | ||
| p.view_menu.name in {'SQL Lab'} or | ||
| p.permission.name in {'can_sql_json'} | ||
| ): |
There was a problem hiding this comment.
add download csv endpoint here and maybe query search
| qry = query.filter(self.model.perm.in_(self.get_perms())) | ||
| return qry | ||
| perms = self.get_view_menus('datasource_access') | ||
| logging.info(perms) |
There was a problem hiding this comment.
will be too noisy, could you remove logging here?
| public_role = appbuilder.sm.find_role('Public') | ||
| perms = db.session.query(ab_models.PermissionView).all() | ||
| for perm in perms: | ||
| if (perm.permission.name == 'datasource_access' and | ||
| perm.view_menu and table_name in perm.view_menu.name): | ||
| perm.view_menu and table.perm in perm.view_menu.name): | ||
| print('-==-'*20) |
| .filter_by(table_name='birth_names') | ||
| .one() | ||
| ) | ||
| print(table.perm) |
| @@ -1841,29 +1858,6 @@ def sqllab_viz(self): | |||
| return redirect(url) | |||
|
|
|||
| @has_access | |||
| @expose("/sql/<database_id>/") | |||
There was a problem hiding this comment.
that's an old obsolete endpoint
| @@ -1967,38 +1961,6 @@ def cached_key(self, key): | |||
| return "nope" | |||
|
|
|||
| @has_access_api | |||
| @expose("/results/<key>/") | |||
mistercrunch
force-pushed
the
security
branch
from
62d643e
to
b1cef80
Compare
| @@ -1967,7 +1960,6 @@ def cached_key(self, key): | |||
| return "nope" | |||
|
|
|||
| @has_access_api | |||
| @expose("/results/<key>/") | |||
|
LGTM once test is fixed and |
mistercrunch
force-pushed
the
security
branch
6 times, most recently
from
0d05dd1
to
8af7dda
Compare
| @@ -23,6 +30,12 @@ class DatabaseSelect extends React.PureComponent { | |||
| const options = data.result.map((db) => ({ value: db.id, label: db.database_name })); | |||
| this.setState({ databaseOptions: options, databaseLoading: false }); | |||
| this.props.actions.setDatabases(data.result); | |||
| if (data.result.length === 0) { | |||
There was a problem hiding this comment.
it would be great to pass the server response here / check the response status
| print("Starting server with command: " + cmd) | ||
| Popen(cmd, shell=True).wait() | ||
|
|
||
| @manager.command |
There was a problem hiding this comment.
Expected 2 blank lines, found 1
| """Inits the Superset application""" | ||
| security.sync_role_definitions() | ||
|
|
||
| @manager.option( |
There was a problem hiding this comment.
Expected 2 blank lines, found 1
| if verbose: | ||
| print("[DB] : " + "{}".format(db.engine)) | ||
|
|
||
| @manager.option( |
There was a problem hiding this comment.
Expected 2 blank lines, found 1
| print("Loading [Unicode test data]") | ||
| data.load_unicode_test_data() | ||
|
|
||
| @manager.option( |
There was a problem hiding this comment.
Expected 2 blank lines, found 1
| @@ -2178,6 +2206,9 @@ def get_having_filters(self, raw_filters): | |||
| filters = cond | |||
| return filters | |||
|
|
|||
| sqla.event.listen(DruidDatasource, 'before_insert', set_perm) | |||
There was a problem hiding this comment.
datasource_name / cluster rename will change the permission and will revoke the user access to it, just an observation.
| @@ -964,6 +983,19 @@ class LogModelView(SupersetModelView): | |||
| icon="fa-list-ol") | |||
|
|
|||
|
|
|||
| class QueryView(SupersetModelView): | |||
| datamodel = SQLAInterface(models.Query) | |||
| list_columns = ['user', 'database', 'status', 'start_time', 'start_time'] | |||
There was a problem hiding this comment.
s/start_time/end_time
what about showing sql?
| @@ -2263,7 +2273,6 @@ def show_traceback(self): | |||
| title=ascii_art.stacktrace, | |||
| art=ascii_art.error), 500 | |||
|
|
|||
| @has_access | |||
There was a problem hiding this comment.
I would keep @has_access for welcome too and would add it by default to the public role
|
Great changes, code is more structured now ! Having more tests around basic roles would be great, but can be done later in separate PR. |
mistercrunch
force-pushed
the
security
branch
from
8af7dda
to
53bea43
Compare
|
LGTM |
mistercrunch
added
🏷️ bot
No description provided.