You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2019/11/24 04:03:27 UTC

[GitHub] [incubator-superset] justin-barton opened a new issue #8644: [SIP-29] Add support for row-level security

justin-barton opened a new issue #8644: [SIP-29] Add support for row-level security
URL: https://github.com/apache/incubator-superset/issues/8644
 
 
   ## [SIP-29] Proposal to add support for row-level security
   ### Motivation
   
   Many BI applications, particularly in multi-tenancy scenarios, require support for row-level security. That is, the ability to show different slices of a table to users based on some user attribute. 
   
   This feature has been requested in Superset several times, including:
   https://github.com/apache/incubator-superset/issues/660
   https://github.com/apache/incubator-superset/issues/5128
   https://github.com/apache/incubator-superset/issues/7887
   https://github.com/apache/incubator-superset/issues/8023
   
   ### Proposed Change
   
   Primarily, this feature would require two sub-features:
   1. The ability to add user attributes
   2. The ability to filter queries based on these attributes
   
   The proposed solution would be to add an 'attributes' property to roles that would essentially be a user-defined key-value store:
   <img width="1239" alt="Screenshot 2019-11-24 02 35 54" src="https://user-images.githubusercontent.com/48782327/69489249-cb66f300-0e6c-11ea-9be2-905a25d2548f.png">
   
   and to make those role attributes available as values for Query Filters:
   <img width="1237" alt="Screenshot 2019-11-24 02 38 26" src="https://user-images.githubusercontent.com/48782327/69489261-f2252980-0e6c-11ea-90d8-658b24fd82d3.png">
   
   
   ### New or Changed Public Interfaces
   
   - New 'attributes' property added to roles
   - Changes to Query Filters to allow access to attribute values (e.g by macros like WHERE column={{role.attributes.key}}
   - Minor UI changes associated with the above
   
   ### New dependencies
   
   N/A
   
   ### Migration Plan and Compatibility
   
   TBD
   
   ### Rejected Alternatives
   
   Pre-processing data into multiple tables or views:
   - This solution does not scale well, and requires all attribute values to be known a priori
   - Requires duplicate dashboards and charts
   
   Reverse proxy
   - Issues with identifying the user initiating the query

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org