Added RLS ids to the cache keys; modified documentation; added templa…

…te processing to RLS filters.

docs/security.rst

@@ -171,8 +171,6 @@ filter for the last 30 days and apply it to a specific role, with a clause like
 ``date_field > DATE_SUB(NOW(), INTERVAL 30 DAY)``.  It can also support multiple 
 conditions: ``client_id = 6 AND advertiser="foo"``, etc. 
 
-You can throw whatever you want in there to define the subset of the table you want the roles in question to have access to.
-
 All relevant ``Row level security filters`` will be ANDed together, so it's 
 possible to create a situation where two roles conflict in such a way as to 
 limit a table subset to empty.  For example, the filters ``client_id=4`` and 

superset/common/query_object.py

@@ -21,7 +21,7 @@
 
 import simplejson as json
 
-from superset import app
+from superset import app, security_manager
 from superset.utils import core as utils
 
 # TODO: Type Metrics dictionary with TypedDict when it becomes a vanilla python type
@@ -130,6 +130,7 @@ def cache_key(self, **extra) -> str:
             del cache_dict[k]
         if self.time_range:
             cache_dict["time_range"] = self.time_range
+        cache_dict["rls"] = security_manager.get_rls_ids(self.datasource)
         json_data = self.json_dumps(cache_dict, sort_keys=True)
         return hashlib.md5(json_data.encode("utf-8")).hexdigest()
 

superset/connectors/sqla/models.py

@@ -656,14 +656,18 @@ def adhoc_metric_to_sqla(self, metric: Dict, cols: Dict) -> Optional[Column]:
 
         return self.make_sqla_column_compatible(sqla_metric, label)
 
-    def _get_row_level_filters(self) -> List[str]:
+    def _get_sqla_row_level_filters(self, template_processor) -> List[str]:
         """
         Return the appropriate row level security filters for this table and the current user.
 
+        :param BaseTemplateProcessor template_processor: The template processor to apply to the filters.
         :returns: A list of SQL clauses to be ANDed together.
         :rtype: List[str]
         """
-        return security_manager.get_row_level_security_filters(self)
+        return [
+            text("({})".format(template_processor.process_template(f)))
+            for f in security_manager.get_rls_filters(self)
+        ]
 
     def get_sqla_query(  # sqla
         self,
@@ -844,9 +848,7 @@ def get_sqla_query(  # sqla
                     elif op == "IS NOT NULL":
                         where_clause_and.append(col_obj.get_sqla_col() != None)
 
-        where_clause_and += [
-            text("({})".format(f)) for f in self._get_row_level_filters()
-        ]
+        where_clause_and += self._get_sqla_row_level_filters(template_processor)
         if extras:
             where = extras.get("where")
             if where:

superset/security.py

@@ -106,6 +106,7 @@ class SupersetSecurityManager(SecurityManager):
         "ResetPasswordView",
         "RoleModelView",
         "Security",
+        "RowLevelSecurityFiltersModelView",
     } | USER_MODEL_VIEWS
 
     ALPHA_ONLY_VIEW_MENUS = {"Upload a CSV"}
@@ -878,7 +879,7 @@ def assert_viz_permission(self, viz: "BaseViz") -> None:
 
         self.assert_datasource_permission(viz.datasource)
 
-    def get_row_level_security_filters(self, table):
+    def get_rls_filters(self, table):
         """
         Retrieves the appropriate row level security filters for the current user and the passed table.
 
@@ -894,3 +895,22 @@ def get_row_level_security_filters(self, table):
             ]
         except AttributeError:
             return []
+
+    def get_rls_ids(self, table) -> List[int]:
+        """
+        Retrieves the appropriate row level security filters IDs for the current user and the passed table.
+
+        :param table: The table to check against
+        :returns: A list of IDs.
+        """
+        try:
+            roles = [role.id for role in g.user.roles]
+            ids = [
+                f.id
+                for f in table.row_level_security_filters
+                if any(r.id in roles for r in f.roles)
+            ]
+            ids.sort()
+            return ids
+        except AttributeError:
+            return []

superset/viz.py

@@ -46,7 +46,7 @@
 from markdown import markdown
 from pandas.tseries.frequencies import to_offset
 
-from superset import app, cache, get_css_manifest_files
+from superset import app, cache, get_css_manifest_files, security_manager
 from superset.constants import NULL_STRING
 from superset.exceptions import NullValueException, SpatialException
 from superset.utils import core as utils
@@ -367,6 +367,7 @@ def cache_key(self, query_obj, **extra):
         cache_dict["time_range"] = self.form_data.get("time_range")
         cache_dict["datasource"] = self.datasource.uid
         cache_dict["extra_cache_keys"] = self.datasource.get_extra_cache_keys(query_obj)
+        cache_dict["rls"] = security_manager.get_rls_ids(self.datasource)
         json_data = self.json_dumps(cache_dict, sort_keys=True)
         return hashlib.md5(json_data.encode("utf-8")).hexdigest()