You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2019/12/21 02:14:09 UTC

[GitHub] [incubator-superset] pjuanda opened a new issue #8879: Limit Role Access for specific Tables

pjuanda opened a new issue #8879: Limit Role Access for specific Tables
URL: https://github.com/apache/incubator-superset/issues/8879
 
 
   **Scenario:**
   Let's say i have database called `northwind`. Inside db, i have 2 tables, `customer`  and `employee`. I want to create role for `Human Resource` and  `Marketing` . Users with role `Human Resource` only can run query via SQL Lab to table `employee` and can't query from table `customer` and vice versa. Users will have role `Gamma` and `sql_lab` as base roles.
   
   **What i've done so far is:**
   to run query on SQL Lab, one must have access to database hence i have to grant `database access on northwind`, but if i grant this permission, the user can run query on both tables `employee` and `customer`
   
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] issue-label-bot[bot] commented on issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

issue-label-bot[bot] commented on issue #8879: Limit Role Access for specific Tables
URL: https://github.com/apache/incubator-superset/issues/8879#issuecomment-568143477
 
 
   Issue Label Bot is not confident enough to auto-label this issue. See [dashboard](https://mlbot.net/data/apache/incubator-superset) for more details.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] hemantaggarwal commented on issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

hemantaggarwal commented on issue #8879: Limit Role Access for specific Tables
URL: https://github.com/apache/incubator-superset/issues/8879#issuecomment-568497439
 
 
   In SQL Lab its not possible to restrict access on table level. I was also looking for this but I think currently this functionality is not there. We can restrict access to schema level.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] mistercrunch commented on issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

mistercrunch commented on issue #8879: Limit Role Access for specific Tables
URL: https://github.com/apache/incubator-superset/issues/8879#issuecomment-577457922
 
 
   Oh right. This is a regression since at some point people didn't want to list the databases that users don't have access to. By restricting this now you cannot see the database in the list.
   
   The logic defining that list is here:
   https://github.com/apache/incubator-superset/blob/003e98c231801b0ea34ebaefcff06c7ae9568faf/superset/views/database/mixins.py#L43-L51
   
   One way to fix this is to figure out which tables the user has access to, and add a close in the or_ that essentially says `OR id IN (SELECT database_id FROM sqla_table WHERE perm IN (...{more subqueries in the security related tables}...))`
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] f7753 removed a comment on issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

f7753 removed a comment on issue #8879: Limit Role Access for specific Tables
URL: https://github.com/apache/incubator-superset/issues/8879#issuecomment-595588814
 
 
   Any progress? Looking forward to this fix, or what can I do to fix this?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] f7753 commented on issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

f7753 commented on issue #8879: Limit Role Access for specific Tables
URL: https://github.com/apache/incubator-superset/issues/8879#issuecomment-598594574
 
 
   > mistercrunch
   
   Very grateful for that, I'll have a try,  thank you a lot, it probably would sovle my big problem about superset.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] ArcherTsai edited a comment on issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

ArcherTsai edited a comment on issue #8879: Limit Role Access for specific Tables
URL: https://github.com/apache/incubator-superset/issues/8879#issuecomment-572908085
 
 
   Someone has raised a issue about this before and it seems no one tried to deal with this.
   [Ref](https://github.com/apache/incubator-superset/issues/1531)
   
   I am not sure this is a bug or a feature. There are some codes related to access control in SQL Lab. But it would bypass the table access permission check and grant access permission to all tables in the DB as long as a user have access permission to the DB. 
   
   According to the descriptions of [SQL Lab](https://superset.incubator.apache.org/security.html#sql-lab ), access is given on a database basis. So maybe it is the design of Superset.
   
   I have done some modifications to fix this. And maybe I can commit it a few days later.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] ArcherTsai commented on issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

ArcherTsai commented on issue #8879: Limit Role Access for specific Tables
URL: https://github.com/apache/incubator-superset/issues/8879#issuecomment-597476502
 
 
   @f7753 
   
   Sorry for the late reply. 
   
   What I modified is in superset/security.py in branch 0.35
   https://github.com/apache/incubator-superset/blob/7cb3d3b5d2e05f98f0683bc72514e4d9f4ce13f8/superset/security.py#L291-L318
   
   As I noticed that this is different from the code pointed by mistercrunch and I don't have time to dig into the code, I did not commit my change.
   
   Also, I noticed that superset/security.py does not exist in 0.36 branch. Maybe this is the best modification for this issue.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] ArcherTsai edited a comment on issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

ArcherTsai edited a comment on issue #8879: Limit Role Access for specific Tables
URL: https://github.com/apache/incubator-superset/issues/8879#issuecomment-597476502
 
 
   @f7753 
   
   Sorry for the late reply. 
   
   What I modified is in superset/security.py in branch 0.35
   https://github.com/apache/incubator-superset/blob/7cb3d3b5d2e05f98f0683bc72514e4d9f4ce13f8/superset/security.py#L291-L318
   
   As I noticed that this is different from the code pointed by mistercrunch and I don't have time to dig into the code, I did not commit my change.
   
   Also, I noticed that superset/security.py does not exist in 0.36 branch. Maybe my modification is NOT the best modification for this issue.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] f7753 commented on issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

f7753 commented on issue #8879: Limit Role Access for specific Tables
URL: https://github.com/apache/incubator-superset/issues/8879#issuecomment-595588814
 
 
   Any progress? Looking forward to this fix, or what can I do to fix this?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] ArcherTsai commented on issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

ArcherTsai commented on issue #8879: Limit Role Access for specific Tables
URL: https://github.com/apache/incubator-superset/issues/8879#issuecomment-572908085
 
 
   Someone has raised issues about this before and it seems no one tried to deal with this.
   https://github.com/apache/incubator-superset/issues/1531
   
   I am not sure this is a bug or a feature. There are some codes related to access control in SQL Lab. But it would bypass the table access permission check and grant access permission to all tables in the DB as long as a user have access permission to the DB. 
   
   I have done some modifications to fix this. And maybe I can commit it a few days later.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] mistercrunch edited a comment on issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

mistercrunch edited a comment on issue #8879: Limit Role Access for specific Tables
URL: https://github.com/apache/incubator-superset/issues/8879#issuecomment-577457922
 
 
   Oh right. This is a regression since at some point people didn't want to list the databases that users don't have access to. By restricting this now you cannot see the database in the list. All the other mechanics for per-table access should be in place once we address this.
   
   The logic defining that list is here:
   https://github.com/apache/incubator-superset/blob/003e98c231801b0ea34ebaefcff06c7ae9568faf/superset/views/database/mixins.py#L43-L51
   
   I think logically if a user is given access to a table, they should be able to list out the database attached to it. I think it's preferable to infer that, instead of say alternatively, creating another "can list this specific database" permission.
   
   The way to fix this is to figure out which tables the user has access to, and add a close in the or_ that essentially says `OR id IN (SELECT database_id FROM sqla_table WHERE perm IN (...{more subqueries in the security related tables}...))`
   
   Currently, calling `security_manager.user_view_menu_names("database_access")` in the process creates an extra database round trip, and while we could to something similar for `table_access`, it'd be preferable to do a single round trip through a more complex query, using subqueries or equivalent. Happy to give more pointers if needed.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] f7753 commented on issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

f7753 commented on issue #8879: Limit Role Access for specific Tables
URL: https://github.com/apache/incubator-superset/issues/8879#issuecomment-595592978
 
 
   @ArcherTsai  
   
   > Someone has raised [a issue](https://github.com/apache/incubator-superset/issues/1531) about this before and it seems no one tried to deal with this.
   > 
   > I am not sure this is a bug or a feature. There are some codes related to access control in SQL Lab. But it would bypass the table access permission check and grant access permission to all tables in the DB as long as a user have access permission to the DB.
   > 
   > According to the descriptions of [SQL Lab](https://superset.incubator.apache.org/security.html#sql-lab), access is given on a database basis. So maybe it is the design of Superset.
   > 
   > I have done some modifications to fix this. And maybe I can commit it a few days later.
   
   Hi，Archer, thanks for your contributition, any progress been made? Looking forward to this feature(or fix) , is there anything I can do to accelerate this issue?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] ArcherTsai edited a comment on issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

ArcherTsai edited a comment on issue #8879: Limit Role Access for specific Tables
URL: https://github.com/apache/incubator-superset/issues/8879#issuecomment-572908085
 
 
   Someone has raised [a issue](https://github.com/apache/incubator-superset/issues/1531) about this before and it seems no one tried to deal with this.
   
   I am not sure this is a bug or a feature. There are some codes related to access control in SQL Lab. But it would bypass the table access permission check and grant access permission to all tables in the DB as long as a user have access permission to the DB. 
   
   According to the descriptions of [SQL Lab](https://superset.incubator.apache.org/security.html#sql-lab ), access is given on a database basis. So maybe it is the design of Superset.
   
   I have done some modifications to fix this. And maybe I can commit it a few days later.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] stale[bot] commented on issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

stale[bot] commented on issue #8879:
URL: https://github.com/apache/incubator-superset/issues/8879#issuecomment-629062116


   This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue `.pinned` to prevent stale bot from closing the issue.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [incubator-superset] stale[bot] closed issue #8879: Limit Role Access for specific Tables

Posted by GitBox <gi...@apache.org>.

stale[bot] closed issue #8879:
URL: https://github.com/apache/incubator-superset/issues/8879


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org