feat: datasource access to allow more granular access to tables on SQL Lab #18064
Conversation
victorarbuesmallada
force-pushed
the
feature/datasource-access-sql-lab
branch
2 times, most recently
from
1283be9
to
7c7363e
Compare
Codecov Report
@@ Coverage Diff @@
## master #18064 +/- ##
==========================================
- Coverage 66.34% 66.16% -0.18%
==========================================
Files 1569 1588 +19
Lines 61685 62480 +795
Branches 6240 6240
==========================================
+ Hits 40927 41343 +416
- Misses 19161 19540 +379
Partials 1597 1597
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
|
Hey @Painyjames it's great that you went forward and implemented this. Let me ping a few people who can review this PR! |
victorarbuesmallada
force-pushed
the
feature/datasource-access-sql-lab
branch
from
7c7363e
to
36ecd8b
Compare
|
/testenv up |
|
@betodealmeida Ephemeral environment spinning up at http://54.200.220.32:8080. Credentials are |
|
I created a test user But I wasn't able to query the table: SELECT * FROM examples.messagesOn the browser console I can see the error: {
"errors": [
{
"message": "You need access to the following tables: `examples.messages`,\n `all_database_access` or `all_datasource_access` permission",
"error_type": "TABLE_SECURITY_ACCESS_ERROR",
"extra": {
"link": "",
"tables": [
"examples.messages"
]
}
}
]
}Maybe @dpgaspar can shed some light here? |
victorarbuesmallada
force-pushed
the
feature/datasource-access-sql-lab
branch
from
36ecd8b
to
37bb936
Compare
I think the reason why this might not work is because the permission is In the acceptance tests we have against our patched superset container, we have the following:
This works fine cause we only have one schema on our database, but we wouldn't know what would happen if we had several schemas with the same table on the same database. In any case, this is still better than having only the schema permission that would grant access to all the tables under that schema, but honestly maybe we should consider generating permissions which are like this:
|
|
I've just test it out on the test environment and, even though couldn't load the schema, I was able to run a SQL statement against the allowed table. |
|
Adding as well what we have locally with this PR's changes |
victorarbuesmallada
force-pushed
the
feature/datasource-access-sql-lab
branch
from
37bb936
to
cefdc6b
Compare
victorarbuesmallada
force-pushed
the
feature/datasource-access-sql-lab
branch
from
cefdc6b
to
1fa370c
Compare
| schema_name = self.default_schema_backend_map[example_db.backend] | ||
| uri = f"superset/tables/{example_db.id}/{schema_name}/{table_name}/" | ||
| rv = self.client.get(uri) | ||
| self.assertEqual(rv.status_code, 200) |
There was a problem hiding this comment.
can you add a test where the table is not allowed also?
There was a problem hiding this comment.
added 👍
victorarbuesmallada
force-pushed
the
feature/datasource-access-sql-lab
branch
from
cc42159
to
c5ddcfc
Compare
|
@villebro @betodealmeida @zhaoyongjie are you guys happy with this PR? :) |
There was a problem hiding this comment.
Really nice improvement! I left a minor readability comment, but the changes LGTM at face value. I agree with @dpgaspar that this is a delicate change, so we should make sure to test this properly. I will do some testing tomorrow.
|
/testenv up |
|
@villebro Ephemeral environment spinning up at http://35.87.122.84:8080. Credentials are |
|
@Painyjames I just spun up an ephemeral envirnonment for testing - if it's not too much trouble, do you think it would be possible to add a few test users with relevant perms (at leat one with and one without datasource access) and instructions for testing so we can validate the changes here? |
|
I've created a couple of users:
|
|
Worth mentioning that, with the datasource access user, somehow I cannot select the schema and table on the dropdown lists, although querying the allowed datasource is still possible. |
I believe this is an unrelated bug and might be resolved by #18564 Edit: it appears to be a perm thing after all. Let me see check the best way to handle this |
|
in the issue, the requirement was to allow querying on physical table on db (without need to create dataset) but datasource permission here is used for dataset layer in superset. |
|
Also I think the reason it doesn't show schema in the dropdown for sqlite is when examples are loaded in sqlite, this attribute |
|
@mayurnewase @villebro is there any way this can go ahead with out the sql lite fix? just to know if there's going to be a dependency on that issue. |
There was a problem hiding this comment.
Tested and I agree we can leave the sqlite issue to be fixed in a follow-up PR. As the added functionality is well in line with the current logic, I feel this is good to go. @mayurnewase do you feel there's risk in merging this? I would also love to get an approval from @dpgaspar and/or @betodealmeida before merging.
|
I tested on postgresql and worked as intended. |
Co-authored-by: Yongjie Zhao <yongjiezhao@apache.org>
|
@Painyjames Could you fix this code style issue? thanks! |
|
Ephemeral environment shutdown and build artifacts deleted. |
| @@ -25,21 +25,28 @@ | |||
|
|
|||
| class DatabaseFilter(BaseFilter): | |||
| # TODO(bogdan): consider caching. | |||
| def schema_access_databases(self) -> Set[str]: # noqa pylint: disable=no-self-use | |||
|
|
|||
| def can_access_databases( # noqa pylint: disable=no-self-use | |||
There was a problem hiding this comment.
nit: any reason why this can't be @staticmethod ?
| @@ -237,13 +242,14 @@ def get_schema_perm( # pylint: disable=no-self-use | |||
|
|
|||
| return None | |||
|
|
|||
| def unpack_schema_perm( # pylint: disable=no-self-use | |||
| def unpack_database_and_schema( # pylint: disable=no-self-use | |||
There was a problem hiding this comment.
nit: any reason why these can't be @staticmethod ?
mistercrunch
added
🏷️ bot
SUMMARY
We'd like to have a more granular access to tables on SQL Lab, which currently can only be done at schema or database level. This PR would then tackle the story we raised a couple of days ago.
TESTING INSTRUCTIONS
Assign a datasource permission to a role and check that users with that role can only query that particular datasource.
ADDITIONAL INFORMATION