fix: shut off unneeded endpoints #8960
Conversation
|
We would appreciate it if you could provide us with more info about this issue/pr! Please do not leave the |
| @@ -261,14 +255,11 @@ def init_views(self) -> None: | |||
| appbuilder.add_view_no_menu(Dashboard) | |||
| appbuilder.add_view_no_menu(DashboardAddView) | |||
| appbuilder.add_view_no_menu(DashboardModelViewAsync) | |||
| appbuilder.add_view_no_menu(DatabaseAsync) | |||
| appbuilder.add_view_no_menu(DatabaseTablesAsync) | |||
There was a problem hiding this comment.
These 2 are unused now...
| appbuilder.add_view_no_menu(Datasource) | ||
| appbuilder.add_view_no_menu(KV) | ||
| appbuilder.add_view_no_menu(R) | ||
| appbuilder.add_view_no_menu(SavedQueryView) | ||
| appbuilder.add_view_no_menu(SavedQueryViewApi) | ||
| appbuilder.add_view_no_menu(SliceAddView) |
There was a problem hiding this comment.
Merged with SliceAsync to simplify
superset/views/log/views.py
Outdated
| @@ -24,3 +24,4 @@ | |||
|
|
|||
| class LogModelView(LogMixin, SupersetModelView): # pylint: disable=too-many-ancestors | |||
| datamodel = SQLAInterface(models.Log) | |||
| include_route_methods = {"list"} | |||
There was a problem hiding this comment.
Consider adding "show" also, since the fields retrieved by list are not very useful, it's important to access the log detail
There was a problem hiding this comment.
Unless this is 100% required for application functionality, I would recommend against exposing this information.
There was a problem hiding this comment.
I think what makes sense is either {"list", "show"} or nothing here. I was thinking about leaving it for backwards compatibility. I could put it behind a config flag too, let me do that.
mistercrunch
force-pushed
the
endpoints
branch
from
a9b8657 to
edf4408
Compare
|
@graceguo-supercat do you know if we use any of these endpoints for programmatic chart/dashboard generation? |
mistercrunch
force-pushed
the
endpoints
branch
3 times, most recently
from
9575b43 to
425bcfa
Compare
mistercrunch
force-pushed
the
endpoints
branch
3 times, most recently
from
6a89dd9 to
944e077
Compare
| @@ -218,6 +211,16 @@ def init_views(self) -> None: | |||
| category_label=__("Sources"), | |||
| category_icon="fa-database", | |||
| ) | |||
| appbuilder.add_link( | |||
There was a problem hiding this comment.
side mission: fix the menu ordering
| @@ -2984,16 +2983,3 @@ def apply_http_headers(response: Response): | |||
| if k not in response.headers: | |||
| response.headers[k] = v | |||
| return response | |||
|
|
|||
|
|
|||
| @app.route('/<regex("panoramix\/.*"):url>') | |||
There was a problem hiding this comment.
Killing redirects for things that would have been bookmarked 4+ years ago
| @@ -117,18 +121,3 @@ class DashboardModelViewAsync(DashboardModelView): # pylint: disable=too-many-a | |||
| "creator": _("Creator"), | |||
| "modified": _("Modified"), | |||
| } | |||
|
|
|||
|
|
|||
| class DashboardAddView(DashboardModelView): # pylint: disable=too-many-ancestors | |||
There was a problem hiding this comment.
Not needed anymore now that we have ModelRestApi
mistercrunch
force-pushed
the
endpoints
branch
2 times, most recently
from
6172183 to
06c58ce
Compare
Codecov Report
@@ Coverage Diff @@
## master #8960 +/- ##
=======================================
Coverage 59.16% 59.16%
=======================================
Files 367 367
Lines 11679 11679
Branches 2862 2862
=======================================
Hits 6910 6910
Misses 4590 4590
Partials 179 179
Continue to review full report at Codecov.
|
requirements.txt
Outdated
| @@ -22,7 +22,7 @@ croniter==0.3.30 | |||
| cryptography==2.7 | |||
| decorator==4.4.0 # via retry | |||
| defusedxml==0.6.0 # via python3-openid | |||
| flask-appbuilder==2.2.1 | |||
| flask-appbuilder==2.2.2rc1 | |||
There was a problem hiding this comment.
The latest rc is rc3. When no more features are needed to support this I'll release 2.2.2
tests/core_tests.py
Outdated
| @@ -345,7 +345,7 @@ def test_add_slice(self): | |||
| def test_get_user_slices(self): | |||
| self.login(username="admin") | |||
| userid = security_manager.find_user("admin").id | |||
| url = "/sliceaddview/api/read?_flt_0_created_by={}".format(userid) | |||
| url = "/sliceasync/api/read?_flt_0_created_by={}".format(userid) | |||
There was a problem hiding this comment.
nit: Take the chance to use f strings
superset/security/manager.py
Outdated
| # Limiting routes on FAB model views | ||
| UserModelView.include_route_methods = CRUD_ROUTE_METHODS | {"userinfo"} | ||
| RoleModelView.include_route_methods = CRUD_ROUTE_METHODS | ||
| PermissionViewModelView.include_route_methods = {"list"} |
There was a problem hiding this comment.
Dry these up? You added a constant above ^^
We recently added a new feature to FAB allowing to whitelist the needed endpoints in ModelView and ModelRestApi. First, we set our base wrapper class to an empty set, forcing each class inheriting from it to explicitely turn on the endpoints that Superset intends to use. Second, we go ModelView by ModelView to whitelist the actual endpoints used in the app. Notes: * as a result a large set of [unneeded] permissions should be cleaned up * outside of the "private" use of endpoints in the app, people that have been using endpoints in their environment for other purposes may experience loss of functionality
mistercrunch
force-pushed
the
endpoints
branch
2 times, most recently
from
107e756 to
94b1642
Compare
mistercrunch
force-pushed
the
endpoints
branch
from
94b1642 to
ba3d68c
Compare
mistercrunch
force-pushed
the
endpoints
branch
from
ba3d68c to
c868620
Compare
|
@etr2460 @graceguo-supercat , we'd like to move forward and merge this, let us know if you use other endpoints that we can open up for the time being. If you share a list of endpoints you use we can take that into account as we do change management in this area. |
|
@mistercrunch we use the |
mistercrunch
added
🏷️ bot
Our list of exposed endpoints has gotten out of control, mostly due to the default FAB behavior to auto-generate and auto-expose lots of endpoints dynamically on all ModelViews, combined with the fact that we have lots of models, and sometimes multiple ModelViews per model.
This PR disables ~300 endpoints out of ~500+ we currently have.
This PR is a fairly thorough pass on all ModelViews disabling endpoints that are not used. The focus has been on ModelViews, and generally only enabling what is needed (either the CRUD and/or the REST endpoints). In many cases, I used either logic, my personal understanding of how models should be exposes, and simple
grepcommands to confirm assumptions.Command to list the active endpoints
Note that longer term, we want to disable all ModelView REST endpoints and favor of FAB's newer
RestModelView. We also want to move away from the FAB's MVC / jinja CRUD, meaning we'll be deprecating all ModelViews.