[SIP-29] Add support for row-level security #8644
Comments
|
Issue-Label Bot is automatically applying the label Links: app homepage, dashboard and code for this bot. |
issue-label-bot
bot
added
the
enhancement:request
|
I also need this function very much. At present, I solve this problem by developing custom data permissions through jinja template |
|
There are security problems in this plan: Use query filters to allow access to attribute values ,The current login user can delete the filter conditions in the query. If you do not give explore permission, the current user will lack the explore interaction function. |
Can you elaborate on your approach? |
|
I've been looking into this with an eye toward implementing it, using a slightly different approach: Proposed Change
New or Changed Public Interfaces
New dependenciesN/A Migration Plan and CompatibilityTBD It all seems to be working as expected at this point. Does anyone foresee any obvious issues with this method? |
This sounds ideal. @toop any concerns with this revised approach? |
|
@thunter009 I basically follow @altef and define a model to store the roles and data permissions of the account. For some roles, the data permissions are not controlled, while the normal permissions control the data of the query according to the roles and data permissions.You end up adding this custom permission control to the front of the filter, and then interacting with the data you see on the screen. |
|
@altef :I think just adding a component to the diagram (as shown in the initial screenshot of @justin-barton ) that is controlled by permissions is a good solution to the user interaction and security issues. |
Proposed solution
That allows for the management of the RowLevelSecurityFilters model. Additionally, for convenience, I've added it as a related view for tables.
After logging in with a user assigned to that role, I can still supply additional filters:
The generated SQL includes the additional filters AND the clause supplied by the row level security filter(s).
Everything seems to be working as expected on my end, and I'd be happy to provide a pull request if no one has any objections to this implementation? |
|
@altef How do you resolve different client_ids for the same role in your current solution? |
|
@axuew Different clients would just have different Roles assigned to them. Each client can potentially have any number of users, and all would be assigned the role for that client. |
|
@altef Your solution is good enough so far, but I recommend that you use the expression client_id={g.u.ser.id.dp} in a model that stores different ids for users to resolve the complexity of permission configuration. |
|
@axuew I'm sorry, I don't think I follow. Could you rephrase? In our case this method seems suitable because the field we check against can vary by table and is often a string. So the filter's clause would often be something like |
Agree to this revised !This good ideal !!! Thanks!!! |
|
Essentially, we're giving each role access to a subset of the table. So we could have one role: Company A, who has the clause And for a specific user of Company A, if they should only be able to see the last 30 days worth of data, apply both roles. Since a row level security filter's clause is arbitrary, it can also support multiple conditions: |
|
We are looking forward to your revised !Thank you very much. @altef |
|
@altef Your plan does solve all my problems and is flexible.However, if you configure one role for each user, it will be difficult to maintain because of the large number of users and roles. Therefore, I suggest to optimize the configuration for the user level after you merge the code |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue |
|
Update: I've created a pull request which adds this feature; working through the process of getting it accepted. I think we're close. Currently awaiting another review. |
|
hi, have this released? |
|
@i2cute it's been merged in, i'm not sure how that'll be reflected in the release schedule though |
How can I add the filter_fila option in the security menu. I use version 0.27 |
|
use |
the superset_config.py file does not exist in version 0.27. config.py is called but the ENABLE_ROW_LEVEL_SECURITY statement is missing |
|
@altef @amitNielsen @justin-barton |
|
The row level security feature only exist from version 0.36 Otherwise feature will just not work |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue |
|
Hi, I'm running the latest 0.36 version But when I enable the ENABLE_ROW_LEVEL_SECURITY Nothing appears in menu. With logger I can see the enable flag is set to true I thought maybe I need to set permissions for my gropup, similar to list LogModelView, maybe there is list RowLevelSecurityView.
It doesn't seem to be the case |
|
Hi @xcoder123 - does your user have the |
|
HI @altef Yes indeed, my user is part of admin group. What is interesting it doesn't show up in the menu: One more thing I want to quickly note, this might relate to the issue. I'm running the superset in docker, with pyodbc with MSSQL support. Where I have my custom security manager. Though switching it off, doesn't seem to help. Thank You |
|
That is weird! As far as I know these are the two sections that determine if it appears: And both of those seem to be true in your case |
|
Hi @altef I managed to find what was wrong. It was misconfigured docker-compose file from our side. For some reason superset-init and superset-worker was commented out by me. Thank you for quick response. |
|
That is a relief - thanks for letting me know! |
|
@altef is the feature only enabled for queries executed from "charts"? I am not seeing the row level filters applied on the queries run from SQL Lab. |
|
We should clarify the docs on that topic if it's not clear there. |
|
It applies the restriction in connectors/sqla/models.py:get_sqla_query(), so unless SQL Lab uses that (I haven't used SQL Lab yet, but it seems unlikely) it probably doesn't. |
|
@altef - I am facing a similar issue where I added the flag for enabling ROW_LEVEL in superset config but still I am not able to see this option enabled in UI. I tried it in charts also no luck there also. I tried this in 0.36 plus 0.37rc4 not able to get this working. |
|
Hi @vrnvikas - just to be clear, did you use |
I used "ENABLE_ROW_LEVEL_SECURITY" only. |
|
Yes, by default ENABLE_ROW_LEVEL_SECURITY is False, if you change this, you must do |
|
After "ENABLE_ROW_LEVEL_SECURITY : True" and running superset init , it's not reflecting in superset. I am using superset version 0.37.2 and running this on a Linux system. P.S. However I tried the same on a windows machine, it worked. |
|
On more recent Superset versions, the config variable |
|
As mentioned in "Updating.md", I have included "ROW_LEVEL_SECURITY : True" (also tried "ENABLE_ROW_LEVEL_SECURITY : True") under the Feature_Flag Dictionary. After doing so and running superset init also it is not reflecting in superset. |
[SIP-29] Proposal to add support for row-level security
Motivation
Many BI applications, particularly in multi-tenancy scenarios, require support for row-level security. That is, the ability to show different slices of a table to users based on some user attribute.
This feature has been requested in Superset several times, including:
#660
#5128
#7887
#8023
Proposed Change
Primarily, this feature would require two sub-features:
The proposed solution would be to add an 'attributes' property to roles that would essentially be a user-defined key-value store:
and to make those role attributes available as values for Query Filters:
New or Changed Public Interfaces
New dependencies
N/A
Migration Plan and Compatibility
TBD
Rejected Alternatives
Pre-processing data into multiple tables or views:
Reverse proxy
The text was updated successfully, but these errors were encountered: