You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2019/09/05 00:42:53 UTC

[GitHub] [incubator-superset] john-bodley opened a new pull request #8175: [metric] Adding security for restricted metrics

john-bodley opened a new pull request #8175: [metric] Adding security for restricted metrics
URL: https://github.com/apache/incubator-superset/pull/8175
 
 
   ### CATEGORY
   
   Choose one
   
   - [ ] Bug Fix
   - [x] Enhancement (new features, refinement)
   - [ ] Refactor
   - [x] Add tests
   - [ ] Build / Development Environment
   - [ ] Documentation
   
   ### SUMMARY
   
   For both the Druid and SQLA connectors metrics can be restricted (via the `metric_access` permission) however there were not really any security checks associated with this. For the Druid connector there was a check to see if restricted metrics were being used at query time (though this can be pushed higher in the stack to the views given that the Druid REST API doesn't support SQL). 
   
   I realize that with the advent of ad-hoc metrics the notion of restricted metrics is probably somewhat obsolete but there seems to be merit in having the security manager be _more_ context aware from a permission standpoint for the `explore_json`, `slice_json`, or `v1/query` routes where rather than checking whether the user has access to the datasource the check should be at the visualization or query context level (higher fidelity). 
   
   ### TEST PLAN
   
   Added unit tests.
   
   ### ADDITIONAL INFORMATION
   <!--- Check any relevant boxes with "x" -->
   <!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue -->
   - [ ] Has associated issue:
   - [ ] Changes UI
   - [ ] Requires DB Migration.
   - [ ] Confirm DB Migration upgrade and downgrade tested.
   - [ ] Introduces new feature or API
   - [ ] Removes existing feature or API
   
   ### REVIEWERS
   
   to: @betodealmeida @DiggidyDave @michellethomas @mistercrunch @villebro 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org