Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(saved queries): security perm simplification #11764

Merged
merged 20 commits into from
Nov 30, 2020
Merged

feat(saved queries): security perm simplification #11764

merged 20 commits into from
Nov 30, 2020

Conversation

dpgaspar
Copy link
Member

@dpgaspar dpgaspar commented Nov 20, 2020
edited
Loading

SUMMARY

First PR for security permission simplification. Scope SavedQuery for API and MVC FAB classes.

The DB migration step is ready to upgrade and downgrade, note that downgrade will work just fine with superset default roles, but on custom made roles some granularity may be lost, since after converging (upgrading) there is information loss

Existing permissions:

Permission View
can_list SavedQueryView
can_show SavedQueryView
can_edit SavedQueryView
can_delete SavedQueryView
can_add SavedQueryView
muldelete SavedQueryView
can_show SavedQueryViewApi
can_edit SavedQueryViewApi
can_list SavedQueryViewApi
can_add SavedQueryViewApi
muldelete SavedQueryViewApi
can_mulexport SavedQueryViewApi

Future permissions:

Permission View
can_read SavedQuery
can_write SavedQuery

TEST PLAN

Test REACT CRUD views
Test MVC CRUD views

ADDITIONAL INFORMATION

  • Has associated issue:
  • Changes UI
  • Requires DB Migration.
  • Confirm DB Migration upgrade and downgrade tested.
  • Introduces new feature or API
  • Removes existing feature or API

@codecov-io
Copy link

codecov-io commented Nov 20, 2020
edited
Loading

Codecov Report

Merging #11764 (d7c28f6) into master (bac84a3) will decrease coverage by 12.48%.
The diff coverage is 0.00%.

Impacted file tree graph

@@             Coverage Diff             @@
##           master   #11764       +/-   ##
===========================================
- Coverage   67.56%   55.08%   -12.49%     
===========================================
  Files         916      411      -505     
  Lines       44545    14583    -29962     
  Branches     4227     3749      -478     
===========================================
- Hits        30098     8033    -22065     
+ Misses      14344     6550     -7794     
+ Partials      103        0      -103
Flag Coverage Δ
cypress 55.08% <0.00%> (-0.17%) ⬇️
javascript ?
python ?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
.../src/views/CRUD/data/savedquery/SavedQueryList.tsx 2.60% <0.00%> (-58.76%) ⬇️
...uperset-frontend/src/dashboard/util/dnd-reorder.js 0.00% <0.00%> (-100.00%) ⬇️
...rset-frontend/src/dashboard/util/getEmptyLayout.js 0.00% <0.00%> (-100.00%) ⬇️
...dashboard/components/resizable/ResizableHandle.jsx 0.00% <0.00%> (-100.00%) ⬇️
.../src/dashboard/util/getFilterScopeFromNodesTree.js 0.00% <0.00%> (-93.48%) ⬇️
...src/dashboard/components/gridComponents/Header.jsx 10.52% <0.00%> (-86.85%) ⬇️
...rc/dashboard/components/gridComponents/Divider.jsx 13.33% <0.00%> (-86.67%) ⬇️
...ontend/src/dashboard/util/getDashboardFilterKey.ts 14.28% <0.00%> (-85.72%) ⬇️
...nd/src/views/CRUD/data/query/QueryPreviewModal.tsx 14.70% <0.00%> (-82.97%) ⬇️
...set-frontend/src/views/CRUD/welcome/EmptyState.tsx 5.71% <0.00%> (-82.10%) ⬇️
... and 770 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bac84a3...d7c28f6. Read the comment docs.

@pull-request-size pull-request-size bot added size/L and removed size/M labels Nov 20, 2020
@dpgaspar dpgaspar marked this pull request as ready for review November 23, 2020 15:19
@dpgaspar dpgaspar changed the title feat(saved queries): security perm simplification [WiP] feat(saved queries): security perm simplification Nov 23, 2020
@dpgaspar dpgaspar changed the title [WiP] feat(saved queries): security perm simplification feat(saved queries): security perm simplification Nov 23, 2020
@willbarrett
Copy link
Member

willbarrett commented Nov 24, 2020
edited
Loading

@dpgaspar I gather that other than one test file and one implementation place, there were no front-end changes required to support this?

willbarrett
willbarrett reviewed Nov 24, 2020
View reviewed changes
Copy link
Member

@willbarrett willbarrett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good start! The main delta I see is unit testing of the stuff in security_converge.py - given the importance of these utilities it would be good to get tests around them.

superset/migrations/shared/security_converge.py Outdated
Base = declarative_base()

PvmType = Tuple[str, str]
PvmMigrationMapType = Dict[PvmType, Tuple[PvmType, ...]]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why the tuple? Will these ever be anything other than 1:1?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They will, on downgrade we need 1:N because I'm "recovering" for example: "can_read" -> ("can_show", "can_list", ...)

superset/migrations/shared/security_converge.py Show resolved Hide resolved
@dpgaspar dpgaspar added the risk:db-migration PRs that require a DB migration label Nov 25, 2020
villebro
villebro approved these changes Nov 27, 2020
View reviewed changes
Copy link
Member

@villebro villebro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new perms look much more intuitive than the old ones 👍 One small non-blocking proposal.

superset/constants.py
Comment on lines +68 to +98
MODEL_VIEW_RW_METHOD_PERMISSION_MAP = {
"add": "write",
"api": "read",
"api_column_add": "write",
"api_column_edit": "write",
"api_create": "write",
"api_delete": "write",
"api_get": "read",
"api_read": "read",
"api_readvalues": "read",
"api_update": "write",
"delete": "write",
"download": "read",
"edit": "write",
"list": "read",
"muldelete": "write",
"show": "read",
}

MODEL_API_RW_METHOD_PERMISSION_MAP = {
"bulk_delete": "write",
"delete": "write",
"distinct": "read",
"export": "read",
"get": "read",
"get_list": "read",
"info": "read",
"post": "write",
"put": "write",
"related": "read",
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add Enums for these, like PermissionType.WRITE?

@dpgaspar dpgaspar merged commit 9dd33d5 into apache:master Nov 30, 2020
@dpgaspar dpgaspar deleted the feat/permission-converge-saved-queries branch November 30, 2020 13:07
@dpgaspar dpgaspar mentioned this pull request Nov 30, 2020
Merged
6 tasks
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 1.0.0 labels Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@villebro villebro villebro approved these changes

@willbarrett willbarrett willbarrett approved these changes

@mistercrunch mistercrunch Awaiting requested review from mistercrunch mistercrunch is a code owner

Assignees
No one assigned
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels risk:db-migration PRs that require a DB migration size/XL 🚢 1.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dpgaspar @codecov-io @willbarrett @villebro @mistercrunch