Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(saved queries): security perm simplification #11764

Merged

Conversation

dpgaspar
Copy link
Member

@dpgaspar dpgaspar commented Nov 20, 2020

SUMMARY

First PR for security permission simplification. Scope SavedQuery for API and MVC FAB classes.

The DB migration step is ready to upgrade and downgrade, note that downgrade will work just fine with superset default roles, but on custom made roles some granularity may be lost, since after converging (upgrading) there is information loss

Existing permissions:

Permission View
can_list SavedQueryView
can_show SavedQueryView
can_edit SavedQueryView
can_delete SavedQueryView
can_add SavedQueryView
muldelete SavedQueryView
can_show SavedQueryViewApi
can_edit SavedQueryViewApi
can_list SavedQueryViewApi
can_add SavedQueryViewApi
muldelete SavedQueryViewApi
can_mulexport SavedQueryViewApi

Future permissions:

Permission View
can_read SavedQuery
can_write SavedQuery

TEST PLAN

Test REACT CRUD views
Test MVC CRUD views

ADDITIONAL INFORMATION

  • Has associated issue:
  • Changes UI
  • Requires DB Migration.
  • Confirm DB Migration upgrade and downgrade tested.
  • Introduces new feature or API
  • Removes existing feature or API

@codecov-io
Copy link

codecov-io commented Nov 20, 2020

Codecov Report

Merging #11764 (d7c28f6) into master (bac84a3) will decrease coverage by 12.48%.
The diff coverage is 0.00%.

Impacted file tree graph

@@             Coverage Diff             @@
##           master   #11764       +/-   ##
===========================================
- Coverage   67.56%   55.08%   -12.49%     
===========================================
  Files         916      411      -505     
  Lines       44545    14583    -29962     
  Branches     4227     3749      -478     
===========================================
- Hits        30098     8033    -22065     
+ Misses      14344     6550     -7794     
+ Partials      103        0      -103     
Flag Coverage Δ
cypress 55.08% <0.00%> (-0.17%) ⬇️
javascript ?
python ?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
.../src/views/CRUD/data/savedquery/SavedQueryList.tsx 2.60% <0.00%> (-58.76%) ⬇️
...uperset-frontend/src/dashboard/util/dnd-reorder.js 0.00% <0.00%> (-100.00%) ⬇️
...rset-frontend/src/dashboard/util/getEmptyLayout.js 0.00% <0.00%> (-100.00%) ⬇️
...dashboard/components/resizable/ResizableHandle.jsx 0.00% <0.00%> (-100.00%) ⬇️
.../src/dashboard/util/getFilterScopeFromNodesTree.js 0.00% <0.00%> (-93.48%) ⬇️
...src/dashboard/components/gridComponents/Header.jsx 10.52% <0.00%> (-86.85%) ⬇️
...rc/dashboard/components/gridComponents/Divider.jsx 13.33% <0.00%> (-86.67%) ⬇️
...ontend/src/dashboard/util/getDashboardFilterKey.ts 14.28% <0.00%> (-85.72%) ⬇️
...nd/src/views/CRUD/data/query/QueryPreviewModal.tsx 14.70% <0.00%> (-82.97%) ⬇️
...set-frontend/src/views/CRUD/welcome/EmptyState.tsx 5.71% <0.00%> (-82.10%) ⬇️
... and 770 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bac84a3...d7c28f6. Read the comment docs.

@pull-request-size pull-request-size bot added size/L and removed size/M labels Nov 20, 2020
@dpgaspar dpgaspar marked this pull request as ready for review November 23, 2020 15:19
@dpgaspar dpgaspar changed the title feat(saved queries): security perm simplification [WiP] feat(saved queries): security perm simplification Nov 23, 2020
@dpgaspar dpgaspar changed the title [WiP] feat(saved queries): security perm simplification feat(saved queries): security perm simplification Nov 23, 2020
@willbarrett
Copy link
Member

willbarrett commented Nov 24, 2020

@dpgaspar I gather that other than one test file and one implementation place, there were no front-end changes required to support this?

Copy link
Member

@willbarrett willbarrett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good start! The main delta I see is unit testing of the stuff in security_converge.py - given the importance of these utilities it would be good to get tests around them.

Base = declarative_base()

PvmType = Tuple[str, str]
PvmMigrationMapType = Dict[PvmType, Tuple[PvmType, ...]]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why the tuple? Will these ever be anything other than 1:1?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They will, on downgrade we need 1:N because I'm "recovering" for example: "can_read" -> ("can_show", "can_list", ...)

@dpgaspar dpgaspar added the risk:db-migration PRs that require a DB migration label Nov 25, 2020
@dpgaspar dpgaspar requested a review from willbarrett November 25, 2020 22:02
Copy link
Member

@villebro villebro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new perms look much more intuitive than the old ones 👍 One small non-blocking proposal.

Comment on lines +68 to +98
MODEL_VIEW_RW_METHOD_PERMISSION_MAP = {
"add": "write",
"api": "read",
"api_column_add": "write",
"api_column_edit": "write",
"api_create": "write",
"api_delete": "write",
"api_get": "read",
"api_read": "read",
"api_readvalues": "read",
"api_update": "write",
"delete": "write",
"download": "read",
"edit": "write",
"list": "read",
"muldelete": "write",
"show": "read",
}

MODEL_API_RW_METHOD_PERMISSION_MAP = {
"bulk_delete": "write",
"delete": "write",
"distinct": "read",
"export": "read",
"get": "read",
"get_list": "read",
"info": "read",
"post": "write",
"put": "write",
"related": "read",
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add Enums for these, like PermissionType.WRITE?

@dpgaspar dpgaspar merged commit 9dd33d5 into apache:master Nov 30, 2020
@dpgaspar dpgaspar deleted the feat/permission-converge-saved-queries branch November 30, 2020 13:07
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 1.0.0 labels Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels risk:db-migration PRs that require a DB migration size/XL 🚢 1.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants