You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2019/11/30 04:30:05 UTC
[GitHub] [incubator-superset] altef opened a new pull request #8699:
[WIP][SIP-29] Add support for row-level security
altef opened a new pull request #8699: [WIP][SIP-29] Add support for row-level security
URL: https://github.com/apache/incubator-superset/pull/8699
### CATEGORY
Choose one
- [ ] Bug Fix
- [x] Enhancement (new features, refinement)
- [ ] Refactor
- [ ] Add tests
- [ ] Build / Development Environment
- [ ] Documentation
### SUMMARY
Many BI applications, particularly in multi-tenancy scenarios, require support for row-level security. That is, the ability to show different slices of a table to users based on some user attribute. To accomplish this, I've added a new model to describe row level security filters, which references a Table and a Role. So when adding a row level security filter, you specify a particular Role and Table.
When querying that table, the applicable filters are added to the query. I've modified the query function [here](https://github.com/altef/incubator-superset/commit/ab6ae456daecd34e676273fa4d43c52875e00e94#diff-6506def3966137541a05177a6fb169d7R981-R987) to add any relevant to the WHERE clause.
As well, I've added a UI for managing the row level security filters. And for convenience, added it as a related view for tables.
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
Before:
After:
1. Row level security filters added to the Security menu:
2. Row level security list
3. Row level security interface
That allows for the management of the RowLevelSecurityFilters model. Additionally, for convenience, I've added it as a related view for tables.
After logging in with a user assigned to that role, I can still supply additional filters:
The generated SQL includes the additional filters AND the clause supplied by the row level security filter(s).
### TEST PLAN
<!--- What steps should be taken to verify the changes -->
Everything seems to be working as expected on my end, but a few things should be done to verify the changes.
1. Set up a limited user
1. Create a new role and give it access to a table.
2. Create a new user and assign it the ``Gamma`` role, as well as the role you've just created.
3. Create a ``Row level security filter`` and assign it the table and row.
2. Ensure that the table is still working as expected for you (there should be no change)
3. Create a simple dashboard built on that table
4. Verify the limited user is only seeing the filtered data
1. Log in as the limited user
2. Check the table to ensure the filter is being applied.
3. Check the dashboard to ensure the data is being limited.
### ADDITIONAL INFORMATION
<!--- Check any relevant boxes with "x" -->
<!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue -->
- [x] Has associated issue: [#8644 ](https://github.com/apache/incubator-superset/issues/8644)
- [x] Changes UI
- [x] Requires DB Migration.
- To add a new model.)
- [ ] Confirm DB Migration upgrade and downgrade tested.
- I tested it, but presumably this doesn't apply to me?
- [x] Introduces new feature or API
- [ ] Removes existing feature or API
### REVIEWERS
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org