[SIP-104] API Row Level Security: get rls by username or roles via API

[frlm]

Please make sure you are familiar with the SIP process documented
(here)[https://github.com//issues/5602]. The SIP will be numbered by a committer upon acceptance.

[SIP] Proposal for API Row Level Security: get rls by username or roles via API

Motivation

I have created the following SIP to give the client-side possibility to generate an embedding request by retrieving the row level securities defined on the UI page, example of setting:

Providing either the username of the user or the role already defined on Apache Superset, API returns the list of RLS to be provided to body of endpoint /api/v1/security/guest_token/:

Otherwise, the client making the request must know in advance the settings provided at the user interface level. The following endpoints generate output considering the filter type (Basic / Regular) and the presence or absence of the Group Key. Right now a user without providing an rls but only the default value [ ], can display all the data within the dashboard, in my case I needed to manage the display of the type of data with respect to the user requesting the embedding. The output of request will be list of dictionaries with "clause" and "dataset" as keys, e.g:

[{"clause":"(province = 'AG')","dataset":25},{"clause":"(gender = 'boy')","dataset":2}]

If the different rls filters associated with the requested user or role have the same group key, the filters associated with the same dataset will be merged using the OR condition, e.g:

[{"clause":"(province = 'AG') OR (province = 'SI')","dataset":25}]

Proposed Change

I created new two endpoints:

• /api/v1/security/get_rls_by_username/
• /api/v1/security/get_rls_by_role/

that retrieve users, roles, tables and rls from Metadata tables (using the SQLAlchemy package), convert all filters of type Base to Regular and aggregate the filters with respect to the defined group key value. Obviously considering only the row level securities enabled on that specific user or role.

New or Changed Public Interfaces

As mentioned above, I created two new endpoints of type Security, documented within the swagger page:

New dependencies

No additional python package needs to be installed

Migration Plan and Compatibility

No database migrations are necessary, or updates to stored URLs.

[frlm]

Created pull request with /security/api.py file updated, read pull request: #25352
The new functionalities have been implemented and tested on Apache Superset 2.1.0

[rusackas]

Please open a "discuss" thread on the dev mailing list ([email protected]) to move this forward.

[villebro]

@frlm thanks for opening up the SIP and PR. I've worked a fair bit with the RLS feature, so I may be able to help. I think I understand what you're proposing, but I don't fully grasp what problem this is solving. Can you elaborate on why this functionality is needed? Also, who (=what permission/permissions) would be able to call this endpoint?

[rusackas]

Closing this and considering it discarded since it's gone without input or a DISCUSS thread for so long.