You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2019/12/18 22:47:53 UTC
[GitHub] [incubator-superset] metaperl opened a new issue #8864: How to
programmatically create and assign a Superset custom role
metaperl opened a new issue #8864: How to programmatically create and assign a Superset custom role
URL: https://github.com/apache/incubator-superset/issues/8864
**Is your feature request related to a problem? Please describe.**
Currently no docs exist for creating a role programmatically - only via the UI. Also, no docs exist for programmatically customizing what happens after a database connection is created by a user in the UI.
**Describe the solution you'd like**
Some docs similar to to what follows should be added and embellished upon.
We have, via the UI, created a "Gamma_modified" role. A user with this role can create database connections. And currently, they can then be manually granted access to their created database connection.
It is our aim to
1. create the Gamma_modified role programmatically one time, when first building Superset.
1. bind the `Gamma_modified` role to `AUTH_USER_REGISTRATION_ROLE` in our `superset_config.py` so that it is the default role of new users. It is a misfeature of superset that one cannot simply list two roles for the default user registration role - https://github.com/apache/incubator-superset/issues/8861
1. automatically grant access to a newly created database connection by the creator of the connection.
# Creating a Gamma_modified Role Programmatically
The docs show how to create a role via the UI, but our delivery pipeline demands automatic creation of a role which contains the following properties beyond teh standard gamma role:
```
['can add', 'DatabaseAsync']
['can delete', 'DatabaseAsync']
['can download', 'DatabaseAsync']
['can edit', 'DatabaseAsync']
['muldelete', 'DatabaseAsync']
['yaml export', 'DatabaseAsync']
['can add', 'DatabaseView']
['can delete', 'DatabaseView']
['can download', 'DatabaseView']
['can edit', 'DatabaseView']
['muldelete', 'DatabaseView']
['yaml export', 'DatabaseView']
['can add', 'SqlMetricInlineView']
['can delete', 'SqlMetricInlineView']
['can download', 'SqlMetricInlineView']
['can edit', 'SqlMetricInlineView']
['can add', 'TableColumnInlineView']
['can delete', 'TableColumnInlineView']
['can download', 'TableColumnInlineView']
['can edit', 'TableColumnInlineView']
['can add', 'TableModelView']
['can delete', 'TableModelView']
['can download', 'TableModelView']
['can edit', 'TableModelView']
['muldelete', 'TableModelView']
['refresh', 'TableModelView']
['yaml export', 'TableModelView']
```
# bind AUTH_USER_REGISTRATION_ROLE to a custom role
It is presumed that any defined role can be chosen in our `superset_config.py` just by providing its value to `AUTH_USER_REGISTRATION_ROLE`.
# Automatically granting the creator of a role access to it.
Presumably a SQLAlchemy post-commit hook can be added to some class to automatically grant access to the creator of a database connection.
# Discussion Reflection, and Implementation
## Creating a Gamma_modified Role Programmatically
The following code creates and saves a `Gamma_modified` role:
```python
from superset import app, appbuilder, db, examples, security_manager
import gamma_extra
sm = security_manager
sm.sync_role_definitions()
gamma_modified_role = sm.add_role("gamma_modified")
for perm, view in gamma_extra.perm_views:
pv = sm.find_permission_view_menu(perm, view)
sm.add_permission_role(gamma_modified_role, pv)
for role in ["Gamma", "sql_lab"]:
for perm in sm.find_role(role).permissions:
sm.add_permission_role(gamma_modified_role, perm)
sm.get_session.commit()
```
## (Automatically) granting the creator of a role access to it.
The following code assigns `database_access` to the creator of a database:
```python
from superset import app, appbuilder, db, examples, security_manager
from superset.models import core as models
sm = security_manager
def self_permit(u, db):
pv = sm.add_permission_view_menu("database_access", db.perm)
role_name = f"(SP) database_access on {db.perm}"
role = sm.add_role(role_name)
sm.add_permission_role(role, pv)
u.roles.append(role)
sm.get_session.commit()
for database in db.session.query(models.Database):
print(database)
# print(database.creator)
c = database.created_by
print(type(c)) # <class 'flask_appbuilder.security.sqla.models.User'>
try:
print(c.id)
p = database.perm
print(type(p))
print(p)
u = sm.find_user('user3')
self_permit(u, database)
except:
pass
```
### Questions
Is there a post-commit hook that can run after a user creates a database connection that I can add this code to so that right after a user creates a connection, they receive `database_access` to it?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] stale[bot] closed issue #8864: How to
programmatically create and assign a Superset custom role
Posted by GitBox <gi...@apache.org>.
stale[bot] closed issue #8864: How to programmatically create and assign a Superset custom role
URL: https://github.com/apache/incubator-superset/issues/8864
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] stale[bot] commented on issue #8864: How to
programmatically create and assign a Superset custom role
Posted by GitBox <gi...@apache.org>.
stale[bot] commented on issue #8864: How to programmatically create and assign a Superset custom role
URL: https://github.com/apache/incubator-superset/issues/8864#issuecomment-586766818
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue `.pinned` to prevent stale bot from closing the issue.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] conrad-zengines-ai commented on issue #8864: How to programmatically create and assign a Superset custom role
Posted by GitBox <gi...@apache.org>.
conrad-zengines-ai commented on issue #8864:
URL: https://github.com/apache/superset/issues/8864#issuecomment-996012307
Hi,
This solution would be great to add to the documentation. @metaperl where would I add this code? superset_config.py?
Thanks,
Conrad
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] conrad-zengines-ai edited a comment on issue #8864: How to programmatically create and assign a Superset custom role
Posted by GitBox <gi...@apache.org>.
conrad-zengines-ai edited a comment on issue #8864:
URL: https://github.com/apache/superset/issues/8864#issuecomment-996012307
Hi,
This solution would be great to add to the documentation. @metaperl where would I add this code? superset_config.py?
Thanks,
C.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] wiktor2200 commented on issue #8864: How to programmatically create and assign a Superset custom role
Posted by GitBox <gi...@apache.org>.
wiktor2200 commented on issue #8864:
URL: https://github.com/apache/superset/issues/8864#issuecomment-1016520071
Hello! I'm also trying to add custom role, but with no success. I'm still getting error:
```
AttributeError: 'NoneType' object has no attribute 'user_model'
```
Even when I've changed the code to barely minimum.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org