-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: deprecate rls base related filters #24128
chore: deprecate rls base related filters #24128
Conversation
Codecov Report
@@ Coverage Diff @@
## master #24128 +/- ##
=======================================
Coverage 68.25% 68.25%
=======================================
Files 1952 1952
Lines 75349 75349
Branches 8204 8205 +1
=======================================
Hits 51433 51433
Misses 21810 21810
Partials 2106 2106
Flags with carried forward coverage won't be shown. Click here to find out more.
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
UPDATING.md
Outdated
@@ -24,6 +24,7 @@ assists people when migrating to a new version. | |||
|
|||
## Next | |||
|
|||
- [24128](https://github.com/apache/superset/pull/24128) The `RLS_BASE_RELATED_FIELD_FILTERS` config parameter has been removed. Now the Tables dropdown will feature the same tables that the user is able to see elsewhere in the application using the standard `DatasourceFilter`, and the Roles dropdown will be filtered using the filter defined in `EXTRA_RELATED_QUERY_FILTERS["role"]`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you move this to the Breaking Changes section?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oof, good catch!
SUMMARY
This is a follow-up to the work done in #23777, more specifically this discussion: #23777 (comment)
Currently Row Level Security has a dedicated set of related base filters that makes it possible to customize the filters that are applied on the Table and Role models. These are defined on the
RLS_BASE_RELATED_FIELD_FILTERS
config parameter.Having these undefined by default is counter intuitive, as it means that a user that is given RLS access will be able to see ALL datasets under the RLS table dropdown, irrespective of which tables they see under the Datasets menu. To streamline this we should just use the same base filter we use for the dataset list view (
DatasourceFilter
).For roles, the PR #22526 introduced the possibility to define a base filter for Roles. To avoid having duplicated logic and to give the users a unified UX, we can reuse the Role filter that users can define via the
EXTRA_RELATED_QUERY_FILTERS
config flag.SCREENSHOTS
This is the datasets view for a user that is only able to access two datasets on the instance (the Gamma user only has database access to the BurgerKing database, despite there being many other databases/datasets on the instance).
With the
DASHBOARD_RBAC
feature enabled and a custom Roles filter, the user was only able to see theTeam-BurgerKing
role:Previously, the same user would see all tables and roles on the instance if they had RLS perms. After this change the RLS dropdowns are aligned with what's available elsewhere:
RLS tables:
RLS roles:
As a bycatch, the "Roles" title is also changed to "Excluded roles" if the filter type is set to "Base" (this is similar to how the list view):
ADDITIONAL INFORMATION