You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2021/09/01 22:06:52 UTC

[GitHub] [superset] shawnzhu opened a new issue #16557: [SIP-72] dataset RBAC

shawnzhu opened a new issue #16557:
URL: https://github.com/apache/superset/issues/16557


   *Please make sure you are familiar with the SIP process documented*
   (here)[https://github.com/apache/superset/issues/5602]. The SIP number should be the next number after the latest SIP listed [here](https://github.com/apache/superset/issues?q=is%3Aissue+label%3Asip).
   
   ## [SIP-72] Proposal for dataset RBAC
   
   ### Motivation
   
   When bringing either department level databases or Trino into Superset, it's hard to share the database itself to any role contains user out of that department (e.g., 100+ users want to use a dataset via superset, but they can not get database access at all). which means it will push any dataset owner to share dashboard (Thanks to `DASHBOARD_RBAC`) only without exposing underneath dataset or chart.
   
   ### Proposed Change
   
   Creates a new feature flag `DATASET_RBAC` similar to the feature flag `DASHBOARD_RBAC`, it will enable a dataset creator/owner to grant read-only access to roles via dataset properties dialog.
   
   When a dataset is granted to role `Gamma`, any user belongs to this role will be able to see this dataset from the dataset list view.
   
   ### New or Changed Public Interfaces
   
   It will add a new dropdown box named _ACCESS_ to the _SETTINGS_ tab of the dialog _Edit dataset_ dialog, where it allows dataset owner to select roles who have read-only access to this dataset.
   
   ### New dependencies
   
   None.
   
   ### Migration Plan and Compatibility
   
   It will need a new model named `dataset_roles`, and it supports backward compatibility via the feature flag `DATASET_RBAC`.
   
   ### Rejected Alternatives
   
   1. It can ask user to request for database access within superset, so that they can get access to all datasets out of this database. but usually it's not feasible since database level access means a user can explore any table/schema of this database under stored database access.
   2. Ask database admin to create user access individually or enable impersonation rules like that in Trino. This is not feasible if existing database doesn't support such process, or a superset user needs to create their own database connection in superset, which brings even more work to a superset admin who needs to create roles to grant database access individually.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] nytai commented on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
nytai commented on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-910842979


   Superset already support this functionality to some degree via the edit roles view, dataset/datasource access can be granted to roles. 
   
   <img width="1418" alt="Screen Shot 2021-09-01 at 3 23 29 PM" src="https://user-images.githubusercontent.com/10255196/131753312-b39e8aee-e702-4c47-afaa-9af0c104fcfa.png">
   
   Is this proposal mainly to improve this UI/workflow by adding this control directly on the dataset edit modal instead of in the edit roles menu?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] shawnzhu edited a comment on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
shawnzhu edited a comment on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-910949849


   @nytai Thanks for the feedback!
   
   I've seen its creates a new record in `ab_view_menu` for a new `sqltable` (i.e., a dataset in superset) plus a new record in `ab_permission_view`, so that it could manage dataset access via editing roles just like how to manage database access as well.
   
   > Is this proposal mainly to improve this UI/workflow by adding this control directly on the dataset edit modal instead of in the edit roles menu? ​This would also allow dataset owners to grant access instead of having to ask someone with edit roles access to grant access?
   
   Yes and Yes. and I think such workflow should apply to database access management as well, so that a database/dataset owner can choose who can access this database/dataset. And such permission granting can be overridden by those who with edit roles access.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] shawnzhu edited a comment on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
shawnzhu edited a comment on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-942817170






-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] amitmiran137 commented on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
amitmiran137 commented on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-911502003


   I just want to this to the broader discussion of Access
   
   ## Prerequisite - Generic Data Access Control
   To achieve the sip goals, prevent and reduce conceptual and design complexity, a generic data access objects mechanism is required. There is no need reusing the code for dashboards access mechanism, or decuple security mechanism to concrete data objects. Those mechanism includes three parts:
   
   1. Create data access objects - permissions objects
   2. Granting permissions objects to others
   3. Permission validations
   
   Currently superset achieve it by depending on FAB View/Api security models and mechanisms of access control.
   The big dilemma is the data access control should be separated from FAB View/Api access control. Our suggested solution suggests that from the designer perspective, both are the same. Thus by modifying some definitions and defining new ones, The FAB access control can be transformed to be a “Resource Access control” and control access for all the cases without complicating it.
   **Resource Access control** can be integrated directly into Fab or alternatively alter and customise it
   under the superset layer.
   
   ### Definitions
   Resource - View is resource, API endpoint is resource too so any kind of data objects can be seen as resource too as well (This is REST by definition).
   Data objects - Dashboard, Chart, Dataset, Database and etc’ - can be seen as specialization of resources.
   Operation - specific operation on resources like a read, write, delete and so on.
   Operator - Role , Owner and etc’ - entities who operate on resources.
   Permission - a right to operate specific operation on resource
   Access control rule - the operations on a resource, an Operator can do
   Security permission objects - the objects represent resources, permissions and permission owning as rules
   
   ### Model Specifications
   
   1. There are several operations on each resource as (read/access, edit/update. delete/remove, grantor, export and etc )
   2. Resources can be drilled down (dashboard can be drill down to specific dashboard)
   3. There are “Operators” who can have permission to do several (or all) operations on same resource
   4. There are “Operators” who can have the same permission for all the drilled down resources example - I have permission to all dashboards or simply represent it by “dashboard” or specific resource.
   5. There are group of operators who have common permissions (Role)
   6. There are use cases which a grantor operator would like to grant permission to other operators
   7. There are use cases that require some several permissions for several different resources - example fetching a specific dashboard - there is need an access permission for  “GET DASHBOARD” endpoint resource, read permission for the specific dashboard.
   
   ![operator](https://user-images.githubusercontent.com/47772523/95468043-cd537b00-0986-11eb-8599-547c0507b47d.png)
   
   As can be deduced, the terms changed a bit, so for easy adapting the new terms, the same diagram with the old terms is
   
   ![role](https://user-images.githubusercontent.com/47772523/95468248-fd028300-0986-11eb-9711-bd406241bc42.png)
   
   ## table diagram for proposed solution
   ![Copy of FAB tables (1)](https://user-images.githubusercontent.com/47772523/95469105-ead51480-0987-11eb-97d8-80331e1804a3.png)
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] amitmiran137 commented on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
amitmiran137 commented on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-927042952


   Hey @shawnzhu  let's co-op on this , I'll help you get this done 💪


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] shawnzhu edited a comment on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
shawnzhu edited a comment on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-912767673


   @amitmiran137 Thanks for pointing out the essential problem around RBAC.
   
   when reading the doc [Customizing Permissions](https://superset.apache.org/docs/security#customizing-permissions), I realized it only create ONE permission (i.e., `datasource_access`) for each data source, which means if it assign the permission `datasource access to [db].[dataset_name](id:x)` to a role, any user within this role could edit/view this dataset, so I understand it could treat individual data objects just like other view/model where it can associate permissions (or the new term _operation_) like `can_read`, `can_write` and/or `can_delete`.
   
   @nytai do you think it's feasible to make such change like https://github.com/apache/superset/issues/16557#issuecomment-911502003 in this SIP? Or I could go ahead to make the desired workflow with existing single permission `datasource_access` then collect feedback?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] shawnzhu commented on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
shawnzhu commented on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-910949849


   @nytai Thanks for the feedback!
   
   I've seen its creates a new record in `ab_view_menu` for a new `sqltable` (i.e., a dataset in superset) plus a new record in `ab_permission_view`, so that it could manage dataset access via editing roles just like how to manage database access as well.
   
   > Is this proposal mainly to improve this UI/workflow by adding this control directly on the dataset edit modal instead of in the edit roles menu? ​This would also allow dataset owners to grant access instead of having to ask someone with edit roles access to grant access?
   
   Yes and Yes. and I think such workflow should apply to database access management as well, so that a database/dataset owner can choose who can access this database/dataset. And such permission granting can be override by those who with edit roles access.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] amitmiran137 commented on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
amitmiran137 commented on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-917571523


   > @shawnzhu the UI improvement sounds good to me, seems very useful and has low impact on the current RBAC system.
   > 
   > > when reading the doc Customizing Permissions, I realized it only create ONE permission (i.e., datasource_access) for each data source, which means if it assign the permission datasource access to [db].dataset_name to a role, any user within this role could edit/view this dataset, so I understand it could treat individual data objects just like other view/model where it can associate permissions (or the new term operation) like can_read, can_write and/or can_delete.
   > 
   > yes, but do note this is not how it works now, it's treated has datasource access only
   > 
   > I think @amitmiran137 goal is something we should discuss and get to a general consensus, would be great to sync and get to a final technical solution for Superset 2.0 where we can safely break backward compatibility. Currently I vote for the desired workflow with the existing single permission behind a feature flag.
   
   I disagree with postponing that final decision with the fact that **2.0** planning should start now. 
   having another permission with another feature flag would just further complex us.
   what would be the point of this SIP if we know that soon enough we intend to break it
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] shawnzhu edited a comment on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
shawnzhu edited a comment on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-910949849


   @nytai Thanks for the feedback!
   
   I've seen its creates a new record in `ab_view_menu` for a new `sqltable` (i.e., a dataset in superset) plus a new record in `ab_permission_view`, so that it could manage dataset access via editing roles just like how to manage database access as well.
   
   > Is this proposal mainly to improve this UI/workflow by adding this control directly on the dataset edit modal instead of in the edit roles menu? ​This would also allow dataset owners to grant access instead of having to ask someone with edit roles access to grant access?
   
   Yes and Yes. and I think such workflow should apply to database access management as well, so that a database/dataset owner can choose who can access this database/dataset. And such permission granting can be overridden by those who with edit roles access.
   
   Such workflow is very popular in Google Drive, Box and DropBox where a file/folder owner should decide who can access this file/folder he/she owns.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] shawnzhu commented on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
shawnzhu commented on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-912767673


   @amitmiran137 Thanks for pointing out the essential problem around RBAC.
   
   when reading the doc [Customizing Permissions](https://superset.apache.org/docs/security#customizing-permissions), I realized it only create one permission (i.e., `datasource_access`) for each data source, which means if it assign the permission `datasource access to [db].[dataset_name](id:x)` to a role, any user within this role could edit/view this dataset, so I understand it could treat individual data objects just like other view/model where it can associate permissions (or the new term _operation_) like `can_read`, `can_write` and/or `can_delete`.
   
   @nytai do you think it's feasible to make such change like https://github.com/apache/superset/issues/16557#issuecomment-911502003 in this SIP? Or I could go ahead to make the desired workflow with existing single permission `datasource_access` then collect feedback?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] shawnzhu edited a comment on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
shawnzhu edited a comment on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-922059889


   My plan:
   
   1. [ ] Add feature flags for both backend and frontend (https://github.com/apache-superset/superset-ui/pull/1366)
   2. [ ] Add a roles selector to the DatasourceEditor #16755 
   3. [ ] Update dataset API by sync dataset permission to roles


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] shawnzhu commented on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
shawnzhu commented on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-922059889


   My plan:
   
   1. [ ] Add feature flags for both backend and frontend (https://github.com/apache-superset/superset-ui/pull/1366)
   2. [ ] Add a roles selector to the DatasourceEditor
   3. [ ] Update dataset API by sync dataset permission to roles


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] shawnzhu commented on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
shawnzhu commented on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-942817170


   Review and learn from https://github.com/apache/superset/pull/17057 which will simplify the design of permission menu updates.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] shawnzhu commented on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
shawnzhu commented on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-924374675


   @junlincc Thanks for the suggestion. see [this thread](https://lists.apache.org/thread.html/r3dfe514b301eb3aa409a7920c2f80a1dd4a6974e42162387c13d97ee%40%3Cdev.superset.apache.org%3E)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] dpgaspar commented on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
dpgaspar commented on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-916808470


   @shawnzhu the UI improvement sounds good to me, seems very useful and has low impact on the current RBAC system.
   
   > when reading the doc Customizing Permissions, I realized it only create ONE permission (i.e., datasource_access) for each data source, which means if it assign the permission datasource access to [db].[dataset_name](id:x) to a role, any user within this role could edit/view this dataset, so I understand it could treat individual data objects just like other view/model where it can associate permissions (or the new term operation) like can_read, can_write and/or can_delete.
   
   yes, but do note this is not how it works now, it's treated has datasource access only
   
   I think @amitmiran137 goal is something we should discuss and get to a general consensus, would be great to sync and get to a final technical solution for Superset 2.0 where we can safely break backward compatibility. Currently I vote for the desired workflow with the existing single permission behind a feature flag.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] nytai edited a comment on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
nytai edited a comment on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-910842979


   Superset already support this functionality to some degree via the edit roles view, dataset/datasource access can be granted to roles. 
   
   <img width="1418" alt="Screen Shot 2021-09-01 at 3 23 29 PM" src="https://user-images.githubusercontent.com/10255196/131753312-b39e8aee-e702-4c47-afaa-9af0c104fcfa.png">
   
   Is this proposal mainly to improve this UI/workflow by adding this control directly on the dataset edit modal instead of in the edit roles menu? This would also allow dataset owners to grant access instead of having to ask someone with edit roles access to grant access? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] junlincc commented on issue #16557: [SIP-72] dataset RBAC

Posted by GitBox <gi...@apache.org>.
junlincc commented on issue #16557:
URL: https://github.com/apache/superset/issues/16557#issuecomment-924188449


   @shawnzhu would you like to send an email to dev, to drive more discussion and move this forward? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org