You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by "villebro (via GitHub)" <gi...@apache.org> on 2023/04/24 07:41:27 UTC

[GitHub] [superset] villebro commented on a diff in pull request #23777: feat(revert): Re-introduces the RLS page

villebro commented on code in PR #23777:
URL: https://github.com/apache/superset/pull/23777#discussion_r1174893780


##########
superset/row_level_security/api.py:
##########
@@ -0,0 +1,349 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+import logging
+from typing import Any
+
+from flask import request, Response
+from flask_appbuilder.api import expose, protect, rison, safe
+from flask_appbuilder.models.sqla.interface import SQLAInterface
+from flask_babel import ngettext
+from marshmallow import ValidationError
+
+from superset import app
+from superset.commands.exceptions import (
+    DatasourceNotFoundValidationError,
+    RolesNotFoundValidationError,
+)
+from superset.connectors.sqla.models import RowLevelSecurityFilter
+from superset.constants import MODEL_API_RW_METHOD_PERMISSION_MAP, RouteMethod
+from superset.dao.exceptions import DAOCreateFailedError, DAOUpdateFailedError
+from superset.extensions import event_logger
+from superset.row_level_security.commands.bulk_delete import BulkDeleteRLSRuleCommand
+from superset.row_level_security.commands.create import CreateRLSRuleCommand
+from superset.row_level_security.commands.exceptions import RLSRuleNotFoundError
+from superset.row_level_security.commands.update import UpdateRLSRuleCommand
+from superset.row_level_security.schemas import (
+    get_delete_ids_schema,
+    RLSListSchema,
+    RLSPostSchema,
+    RLSPutSchema,
+    RLSShowSchema,
+)
+from superset.views.base_api import (
+    BaseSupersetModelRestApi,
+    requires_json,
+    statsd_metrics,
+)
+
+logger = logging.getLogger(__name__)
+
+
+class RLSRestApi(BaseSupersetModelRestApi):
+    datamodel = SQLAInterface(RowLevelSecurityFilter)
+    include_route_methods = RouteMethod.REST_MODEL_VIEW_CRUD_SET | {
+        RouteMethod.RELATED,
+        "bulk_delete",
+    }
+    resource_name = "rowlevelsecurity"
+    class_permission_name = "Row Level Security"
+    openapi_spec_tag = "Row Level Security"
+    method_permission_name = MODEL_API_RW_METHOD_PERMISSION_MAP
+    allow_browser_login = True
+
+    list_columns = [
+        "id",
+        "name",
+        "filter_type",
+        "tables.id",
+        "tables.table_name",
+        "roles.id",
+        "roles.name",
+        "clause",
+        "changed_on_delta_humanized",
+        "group_key",
+    ]
+    order_columns = [
+        "name",
+        "filter_type",
+        "clause",
+        "changed_on_delta_humanized",
+        "group_key",
+    ]
+    add_columns = [
+        "name",
+        "description",
+        "filter_type",
+        "tables",
+        "roles",
+        "group_key",
+        "clause",
+    ]
+    show_columns = [
+        "name",
+        "description",
+        "filter_type",
+        "tables.id",
+        "tables.schema",
+        "tables.table_name",
+        "roles.id",
+        "roles.name",
+        "group_key",
+        "clause",
+    ]
+    search_columns = (
+        "name",
+        "description",
+        "filter_type",
+        "tables",
+        "roles",
+        "group_key",
+        "clause",
+    )
+    edit_columns = add_columns
+
+    show_model_schema = RLSShowSchema()
+    list_model_schema = RLSListSchema()
+    add_model_schema = RLSPostSchema()
+    edit_model_schema = RLSPutSchema()
+
+    allowed_rel_fields = {"tables", "roles"}
+    base_related_field_filters = app.config["RLS_BASE_RELATED_FIELD_FILTERS"]

Review Comment:
   In #22526 we introduced `EXTRA_RELATED_QUERY_FILTERS ` which already has filters for `role` and `user`. I think it might make sense deprecate `RLS_BASE_RELATED_FIELD_FILTERS` and leverage the more global config parameter here by doing the following:
   - assume that `EXTRA_RELATED_QUERY_FILTERS["role"]` also applies to RLS
   - Add `table` to `EXTRA_RELATED_QUERY_FILTERS`.
   
   I tried this and it nicely filtered the roles and tables to match what's available on the datasets page and elsewhere:
   
   ```python
       from superset.views.base import DatasourceFilter
       from superset.views.filters import BaseFilterRelatedRoles
   
       base_related_field_filters = {
           "tables": [["id", DatasourceFilter, lambda: []]],
           "roles": [["id", BaseFilterRelatedRoles, lambda: []]],
       }
   ```
   
   WDYT?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org