You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2020/10/08 07:43:27 UTC
[GitHub] [incubator-superset] bolkedebruin opened a new issue #11198: [SIP-?] Extending the security framework to provide data level security
bolkedebruin opened a new issue #11198:
URL: https://github.com/apache/incubator-superset/issues/11198
## [SIP] Proposal for Extending the security framework to provide data level security
### Motivation
In certain Enterprises. like for example financial services, it is often required to limit the accessibility of data to certain people and to have the ability to manage this centrally. This means that users only have a limited ability to publish results in dashboards to a broader public.
Typically this is managed on the data/resource level. For example user "bolke" has access to transaction data from Asia but cannot access transaction from Europe. It might be that "bolke" has access to aggregated data, like a dashboard or a chart, but not to the original datasource.
In such a context you would like to be able to set permissions in a leveled way like:
1. Dashboard
2. Chart -> (Table / View, Function, Column(s))
This type of resource based access is equal to for example what is implemented in Presto.
Superset currently does not have such a model. It only implements table/schema/database with row level filtering it does not have a fine grained permission model on dashboards and charts. This limits the usability in a enterprise context. It also has a technical limitation as we cannot enable the cache as that ignores the permission model that works on the database level (e.g. Presto, Druid etc).
### Proposed Change
A new decorator `@has_access_resource` that takes the resource type, resource name, and its specification (e.g. Chart -> type, table/view, metric, column(s). The request itself (GET/POST) should also be available to this decorator as permissions might be dependent on time of the day, geolocation etc.
Permission checks can be expensive (we have over 1500 policies). Therefore I suggest a default "pass" implementation also for backwards compatibility. The check itself can then be 'outsourced' to highly optimized systems like Open Policy Agent or Apache Ranger.
### New or Changed Public Interfaces
Optionally a Securitymanager that implements `has_access_resource` can be provided in the configuration
### New dependencies
None
### Migration Plan and Compatibility
None, this is backwards compatible.
### Rejected Alternatives
It was mentioned that column access could be solved by proxy with views that expose subsets of columns. This creates an extra burden either in maintaining the Dashboard (which is the not possible to centrally manage) or with the Database team , while the global cache can still not be enabled.
cc @mistercrunch
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] amitNielsen commented on issue #11198: [SIP-?] Extending the security framework to provide data level security
Posted by GitBox <gi...@apache.org>.
amitNielsen commented on issue #11198:
URL: https://github.com/apache/incubator-superset/issues/11198#issuecomment-705730432
hey @bolkedebruin please review #10408 in which we also describe **data access control** that might be relevant to what you are referring here
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] ktmud commented on issue #11198: [SIP-55] Extending the security framework to provide data level security
Posted by GitBox <gi...@apache.org>.
ktmud commented on issue #11198:
URL: https://github.com/apache/incubator-superset/issues/11198#issuecomment-749399790
+1 on generalizing access controls with one API. The `SecurityManager` already has [`can_access`](https://github.com/airbnb/incubator-superset/blob/2f0add3aec8f168fb8c37c648f0e29e507f39294/superset%2Fsecurity%2Fmanager.py#L217). Maybe we can do some clean up and start from there.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] issue-label-bot[bot] commented on issue #11198: [SIP-?] Extending the security framework to provide data level security
Posted by GitBox <gi...@apache.org>.
issue-label-bot[bot] commented on issue #11198:
URL: https://github.com/apache/incubator-superset/issues/11198#issuecomment-705393124
Issue-Label Bot is automatically applying the label `#enhancement` to this issue, with a confidence of 0.92. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!
Links: [app homepage](https://github.com/marketplace/issue-label-bot), [dashboard](https://mlbot.net/data/apache/incubator-superset) and [code](https://github.com/hamelsmu/MLapp) for this bot.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] amitNielsen commented on issue #11198: [SIP-?] Extending the security framework to provide data level security
Posted by GitBox <gi...@apache.org>.
amitNielsen commented on issue #11198:
URL: https://github.com/apache/incubator-superset/issues/11198#issuecomment-705730432
hey @bolkedebruin please review #10408 in which we also describe **data access control** that might be relevant to what you are referring here
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] issue-label-bot[bot] commented on issue #11198: [SIP-?] Extending the security framework to provide data level security
Posted by GitBox <gi...@apache.org>.
issue-label-bot[bot] commented on issue #11198:
URL: https://github.com/apache/incubator-superset/issues/11198#issuecomment-705393124
Issue-Label Bot is automatically applying the label `#enhancement` to this issue, with a confidence of 0.92. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!
Links: [app homepage](https://github.com/marketplace/issue-label-bot), [dashboard](https://mlbot.net/data/apache/incubator-superset) and [code](https://github.com/hamelsmu/MLapp) for this bot.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org