Skip to content

Commit

Permalink
feat(datasets): security perm simplification (#12000)
Browse files Browse the repository at this point in the history
* feat(datasets): security perm simplification

* feat(datasets): security perm simplification

* fix tests

* fix tests

* fix tests

* fix tests

* fix tests

* include SqlMetricInlineView converge and fix JS tests

* update to current alembic revision
  • Loading branch information
dpgaspar authored Dec 16, 2020
1 parent 9c8b65d commit 2302adb
Show file tree
Hide file tree
Showing 9 changed files with 154 additions and 31 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ const mockUser = {
};

fetchMock.get(datasetsInfoEndpoint, {
permissions: ['can_list', 'can_edit', 'can_add', 'can_delete'],
permissions: ['can_read', 'can_write'],
});
fetchMock.get(datasetsOwnersEndpoint, {
result: [],
Expand Down
8 changes: 4 additions & 4 deletions superset-frontend/src/views/CRUD/data/dataset/DatasetList.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -141,10 +141,10 @@ const DatasetList: FunctionComponent<DatasetListProps> = ({
refreshData();
};

const canEdit = hasPerm('can_edit');
const canDelete = hasPerm('can_delete');
const canCreate = hasPerm('can_add');
const canExport = hasPerm('can_mulexport');
const canEdit = hasPerm('can_write');
const canDelete = hasPerm('can_write');
const canCreate = hasPerm('can_write');
const canExport = hasPerm('can_read');

const initialSort = [{ id: 'changed_on_delta_humanized', desc: true }];

Expand Down
8 changes: 7 additions & 1 deletion superset/connectors/sqla/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
from superset import app, db, is_feature_enabled
from superset.connectors.base.views import DatasourceModelView
from superset.connectors.sqla import models
from superset.constants import RouteMethod
from superset.constants import MODEL_VIEW_RW_METHOD_PERMISSION_MAP, RouteMethod
from superset.typing import FlaskResponse
from superset.utils import core as utils
from superset.views.base import (
Expand All @@ -55,6 +55,8 @@ class TableColumnInlineView( # pylint: disable=too-many-ancestors
):
datamodel = SQLAInterface(models.TableColumn)
# TODO TODO, review need for this on related_views
class_permission_name = "Dataset"
method_permission_name = MODEL_VIEW_RW_METHOD_PERMISSION_MAP
include_route_methods = RouteMethod.RELATED_VIEW_SET | RouteMethod.API_SET

list_title = _("Columns")
Expand Down Expand Up @@ -174,6 +176,8 @@ class SqlMetricInlineView( # pylint: disable=too-many-ancestors
CompactCRUDMixin, SupersetModelView
):
datamodel = SQLAInterface(models.SqlMetric)
class_permission_name = "Dataset"
method_permission_name = MODEL_VIEW_RW_METHOD_PERMISSION_MAP
include_route_methods = RouteMethod.RELATED_VIEW_SET | RouteMethod.API_SET

list_title = _("Metrics")
Expand Down Expand Up @@ -327,6 +331,8 @@ class TableModelView( # pylint: disable=too-many-ancestors
DatasourceModelView, DeleteMixin, YamlExportMixin
):
datamodel = SQLAInterface(models.SqlaTable)
class_permission_name = "Dataset"
method_permission_name = MODEL_VIEW_RW_METHOD_PERMISSION_MAP
include_route_methods = RouteMethod.CRUD_SET

list_title = _("Tables")
Expand Down
5 changes: 4 additions & 1 deletion superset/constants.py
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ class RouteMethod: # pylint: disable=too-few-public-methods
"list": "read",
"muldelete": "write",
"show": "read",
"yaml_export": "read",
}

MODEL_API_RW_METHOD_PERMISSION_MAP = {
Expand All @@ -95,8 +96,10 @@ class RouteMethod: # pylint: disable=too-few-public-methods
"post": "write",
"put": "write",
"related": "read",
"favorite_status": "write",
"refresh": "read",
"related_objects": "read",
"import_": "write",
"favorite_status": "write",
"cache_screenshot": "read",
"screenshot": "read",
"data": "read",
Expand Down
5 changes: 3 additions & 2 deletions superset/datasets/api.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
from superset.commands.exceptions import CommandInvalidError
from superset.commands.importers.v1.utils import remove_root
from superset.connectors.sqla.models import SqlaTable
from superset.constants import RouteMethod
from superset.constants import MODEL_API_RW_METHOD_PERMISSION_MAP, RouteMethod
from superset.databases.filters import DatabaseFilter
from superset.datasets.commands.bulk_delete import BulkDeleteDatasetCommand
from superset.datasets.commands.create import CreateDatasetCommand
Expand Down Expand Up @@ -79,7 +79,8 @@ class DatasetRestApi(BaseSupersetModelRestApi):

resource_name = "dataset"
allow_browser_login = True
class_permission_name = "TableModelView"
class_permission_name = "Dataset"
method_permission_name = MODEL_API_RW_METHOD_PERMISSION_MAP
include_route_methods = RouteMethod.REST_MODEL_VIEW_CRUD_SET | {
RouteMethod.EXPORT,
RouteMethod.IMPORT,
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
"""security converge datasets
Revision ID: 45731db65d9c
Revises: ccb74baaa89b
Create Date: 2020-12-10 15:05:44.928020
"""

# revision identifiers, used by Alembic.
revision = "45731db65d9c"
down_revision = "c25cb2c78727"

from alembic import op
from sqlalchemy.exc import SQLAlchemyError
from sqlalchemy.orm import Session

from superset.migrations.shared.security_converge import (
add_pvms,
get_reversed_new_pvms,
get_reversed_pvm_map,
migrate_roles,
Pvm,
)

NEW_PVMS = {"Dataset": ("can_read", "can_write",)}
PVM_MAP = {
Pvm("SqlMetricInlineView", "can_add"): (Pvm("Dataset", "can_write"),),
Pvm("SqlMetricInlineView", "can_delete"): (Pvm("Dataset", "can_write"),),
Pvm("SqlMetricInlineView", "can_edit"): (Pvm("Dataset", "can_write"),),
Pvm("SqlMetricInlineView", "can_list"): (Pvm("Dataset", "can_read"),),
Pvm("SqlMetricInlineView", "can_show"): (Pvm("Dataset", "can_read"),),
Pvm("TableColumnInlineView", "can_add"): (Pvm("Dataset", "can_write"),),
Pvm("TableColumnInlineView", "can_delete"): (Pvm("Dataset", "can_write"),),
Pvm("TableColumnInlineView", "can_edit"): (Pvm("Dataset", "can_write"),),
Pvm("TableColumnInlineView", "can_list"): (Pvm("Dataset", "can_read"),),
Pvm("TableColumnInlineView", "can_show"): (Pvm("Dataset", "can_read"),),
Pvm("TableModelView", "can_add",): (Pvm("Dataset", "can_write"),),
Pvm("TableModelView", "can_delete",): (Pvm("Dataset", "can_write"),),
Pvm("TableModelView", "can_edit",): (Pvm("Dataset", "can_write"),),
Pvm("TableModelView", "can_list"): (Pvm("Dataset", "can_read"),),
Pvm("TableModelView", "can_mulexport"): (Pvm("Dataset", "can_read"),),
Pvm("TableModelView", "can_show"): (Pvm("Dataset", "can_read"),),
Pvm("TableModelView", "muldelete",): (Pvm("Dataset", "can_write"),),
Pvm("TableModelView", "refresh",): (Pvm("Dataset", "can_write"),),
Pvm("TableModelView", "yaml_export",): (Pvm("Dataset", "can_read"),),
}


def upgrade():
bind = op.get_bind()
session = Session(bind=bind)

# Add the new permissions on the migration itself
add_pvms(session, NEW_PVMS)
migrate_roles(session, PVM_MAP)
try:
session.commit()
except SQLAlchemyError as ex:
print(f"An error occurred while upgrading permissions: {ex}")
session.rollback()


def downgrade():
bind = op.get_bind()
session = Session(bind=bind)

# Add the old permissions on the migration itself
add_pvms(session, get_reversed_new_pvms(PVM_MAP))
migrate_roles(session, get_reversed_pvm_map(PVM_MAP))
try:
session.commit()
except SQLAlchemyError as ex:
print(f"An error occurred while downgrading permissions: {ex}")
session.rollback()
pass
12 changes: 8 additions & 4 deletions superset/security/manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -120,9 +120,7 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods
}

GAMMA_READ_ONLY_MODEL_VIEWS = {
"SqlMetricInlineView",
"TableColumnInlineView",
"TableModelView",
"Dataset",
"DruidColumnInlineView",
"DruidDatasourceModelView",
"DruidMetricInlineView",
Expand Down Expand Up @@ -160,7 +158,13 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods
"all_query_access",
}

READ_ONLY_PERMISSION = {"can_show", "can_list", "can_get", "can_external_metadata"}
READ_ONLY_PERMISSION = {
"can_show",
"can_list",
"can_get",
"can_external_metadata",
"can_read",
}

ALPHA_ONLY_PERMISSIONS = {
"muldelete",
Expand Down
30 changes: 22 additions & 8 deletions tests/datasets/api_tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -353,6 +353,20 @@ def test_get_dataset_info(self):
rv = self.get_assert_metric(uri, "info")
assert rv.status_code == 200

def test_info_security_dataset(self):
"""
Dataset API: Test info security
"""
self.login(username="admin")
params = {"keys": ["permissions"]}
uri = f"api/v1/dataset/_info?q={prison.dumps(params)}"
rv = self.get_assert_metric(uri, "info")
data = json.loads(rv.data.decode("utf-8"))
assert rv.status_code == 200
assert "can_read" in data["permissions"]
assert "can_write" in data["permissions"]
assert len(data["permissions"]) == 2

def test_create_dataset_item(self):
"""
Dataset API: Test create dataset item
Expand Down Expand Up @@ -455,23 +469,23 @@ def test_create_dataset_item_owners_invalid(self):
expected_result = {"message": {"owners": ["Owners are invalid"]}}
assert data == expected_result

@pytest.mark.usefixtures("load_energy_table_with_slice")
def test_create_dataset_validate_uniqueness(self):
"""
Dataset API: Test create dataset validate table uniqueness
"""
example_db = get_example_database()
energy_usage_ds = self.get_energy_usage_dataset()
self.login(username="admin")
table_data = {
"database": example_db.id,
"schema": "",
"table_name": "birth_names",
"database": energy_usage_ds.database_id,
"table_name": energy_usage_ds.table_name,
}
uri = "api/v1/dataset/"
rv = self.post_assert_metric(uri, table_data, "post")
assert rv.status_code == 422
data = json.loads(rv.data.decode("utf-8"))
assert data == {
"message": {"table_name": ["Datasource birth_names already exists"]}
"message": {"table_name": ["Datasource energy_usage already exists"]}
}

def test_create_dataset_same_name_different_schema(self):
Expand Down Expand Up @@ -1104,7 +1118,7 @@ def test_export_dataset_gamma(self):

self.login(username="gamma")
rv = self.client.get(uri)
assert rv.status_code == 401
assert rv.status_code == 404

@patch.dict(
"superset.extensions.feature_flag_manager._feature_flags",
Expand Down Expand Up @@ -1165,8 +1179,8 @@ def test_export_dataset_bundle_gamma(self):

self.login(username="gamma")
rv = self.client.get(uri)

assert rv.status_code == 401
# gamma users by default do not have access to this dataset
assert rv.status_code == 404

def test_get_dataset_related_objects(self):
"""
Expand Down
24 changes: 14 additions & 10 deletions tests/security_tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,13 @@
from .fixtures.energy_dashboard import load_energy_table_with_slice
from .fixtures.unicode_dashboard import load_unicode_dashboard_with_slice

NEW_SECURITY_CONVERGE_VIEWS = ("CssTemplate", "SavedQuery", "Chart", "Annotation")
NEW_SECURITY_CONVERGE_VIEWS = (
"Annotation",
"Dataset",
"CssTemplate",
"Chart",
"SavedQuery",
)


def get_perm_tuples(role_name):
Expand Down Expand Up @@ -644,7 +650,7 @@ def assert_can_menu(self, view_menu, permissions_set):
self.assertIn(("menu_access", view_menu), permissions_set)

def assert_can_gamma(self, perm_set):
self.assert_can_read("TableModelView", perm_set)
self.assert_can_read("Dataset", perm_set)

# make sure that user can create slices and dashboards
self.assert_can_all("Chart", perm_set)
Expand Down Expand Up @@ -674,7 +680,7 @@ def assert_can_gamma(self, perm_set):
def assert_can_alpha(self, perm_set):
self.assert_can_all("Annotation", perm_set)
self.assert_can_all("CssTemplate", perm_set)
self.assert_can_all("TableModelView", perm_set)
self.assert_can_all("Dataset", perm_set)
self.assert_can_read("QueryView", perm_set)
self.assertIn(("can_import_dashboards", "Superset"), perm_set)
self.assertIn(("can_this_form_post", "CsvToDatabaseView"), perm_set)
Expand Down Expand Up @@ -711,7 +717,7 @@ def assert_can_admin(self, perm_set):
def test_is_admin_only(self):
self.assertFalse(
security_manager._is_admin_only(
security_manager.find_permission_view_menu("can_list", "TableModelView")
security_manager.find_permission_view_menu("can_read", "Dataset")
)
)
self.assertFalse(
Expand Down Expand Up @@ -759,15 +765,13 @@ def test_is_admin_only(self):
def test_is_alpha_only(self):
self.assertFalse(
security_manager._is_alpha_only(
security_manager.find_permission_view_menu("can_list", "TableModelView")
security_manager.find_permission_view_menu("can_read", "Dataset")
)
)

self.assertTrue(
security_manager._is_alpha_only(
security_manager.find_permission_view_menu(
"muldelete", "TableModelView"
)
security_manager.find_permission_view_menu("can_write", "Dataset")
)
)
self.assertTrue(
Expand All @@ -788,7 +792,7 @@ def test_is_alpha_only(self):
def test_is_gamma_pvm(self):
self.assertTrue(
security_manager._is_gamma_pvm(
security_manager.find_permission_view_menu("can_list", "TableModelView")
security_manager.find_permission_view_menu("can_read", "Dataset")
)
)

Expand Down Expand Up @@ -837,7 +841,7 @@ def test_gamma_permissions(self):
gamma_perm_set.add((perm.permission.name, perm.view_menu.name))

# check read only perms
self.assert_can_read("TableModelView", gamma_perm_set)
self.assert_can_read("Dataset", gamma_perm_set)

# make sure that user can create slices and dashboards
self.assert_can_all("Chart", gamma_perm_set)
Expand Down

0 comments on commit 2302adb

Please sign in to comment.