You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2018/07/03 09:12:49 UTC

[GitHub] yamyamyuo edited a comment on issue #538: Access configuration is too complicated

yamyamyuo edited a comment on issue #538: Access configuration is too complicated
URL: https://github.com/apache/incubator-superset/issues/538#issuecomment-402068569
 
 
   I totally agreed that the security control is too complex to use. There are several problems with the role based permission models.
   1. if you have datasource access of a bunch of tables named Perm_A, it allows you to view dashboard A if its datasource is a subset of Perm_A's datasource. The tricky thing is that if by coincident, dashboard B 's datasource also a subset of Perm_A, then it will cause problem if dashboard B is not supposed to be accessed by anyone.
   
   2. Datasource access is only controlled over table. Why datasource access control is not available on the level of database, schema or catalog? If you want to control a department's datasource access, you have to list all of the tables that belongs to the specific department. That's unreasonable. If a company has hundreds of departments and thousands of databases, it will require many superset administrator to manage the permission.
   
   3. The permission models does not support deny. In some use case, if you don't have one permission, you will be denied.
   
   I did some hack things to avoid the complex permission management. I use scripts to automatically add one invisible slice to dashboard. Each slice use different datasource(data sources are auto create by script as well!). Then it can solve problem 1. 
   Scripts will be scheduled once an hour to collect all the dashboard's table permissions and create a grouped roles. The final things for admins to do is add the grouped role to specific user.
   
   
   
   
   
   
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org