You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2019/12/01 10:14:13 UTC

[GitHub] [incubator-superset] villebro commented on issue #8699: [SIP-29] Add support for row-level security

villebro commented on issue #8699: [SIP-29] Add support for row-level security
URL: https://github.com/apache/incubator-superset/pull/8699#issuecomment-560086938
 
 
   I think it is important to support belonging to multiple roles early on. Think AD/LDAP in a corporate setting; not uncommon to belong to hundreds of groups. Regarding implementation, I would propose just adding a column "role_based_filters"  or similar to the tables table with the metadata:
   ```json
   { 
      "defaults":{ 
         "duration":"report_date >= current_timestamp() - 1",
         "dept":"false"
      },
      "roles":{ 
         "finance":{ 
            "duration":"report_date >= current_timestamp() - 30",
            "dept":"dept_id = 1"
         },
         "risk":{ 
            "dept":"dept_id = 2"
         }
      }
   }
   ```
   In this example, users that don't belong to any group would get a WHERE clause that returns zero rows due to the "false" clause (`SELECT col FROM table WHERE FALSE` -> no rows), and by default only the last days data would be available. If the user belongs to the "risk" Role, they would see only "dept_id = 2" for the last day (default clause for "duration"), whereas "finance" would see "dept_id = 1" for the last 30 days. Belonging to both would return data for both departments with 30 days of data.
   
   One could later add the same column to the charts table, making it possible to introduce the same functionality on a per chart basis. With regards to the filter statements, I would propose using the same filter format that's currently used for `adhoc_filters`, which would enable us to leverage existing React components that allow for a much more user friendly means to add filters. To introduce the functionality, I would break the SIP into two parts; first introducing the backend functionality, i.e. adding the new column to table, making it possible to edit the filters by poking at the table metadata, and later adding proper UI functionality for editing the metadata.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org