-
Notifications
You must be signed in to change notification settings - Fork 14.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(row-level-security): add base filter type and filter grouping #10946
Conversation
c6e4ed5
to
c8fc800
Compare
superset/migrations/versions/e5ef6828ac4e_add_rls_filter_type_and_grouping_key.py
Show resolved
Hide resolved
Thanks @bkyryliuk for the review, great comments! |
c40890d
to
f667c8d
Compare
@bkyryliuk this is ready for another round of review |
class RowLevelSecurityFiltersModelView( # pylint: disable=too-many-ancestors | ||
SupersetModelView, DeleteMixin | ||
): | ||
datamodel = SQLAInterface(models.RowLevelSecurityFilter) | ||
|
||
list_widget = cast(SupersetListWidget, RowLevelSecurityListWidget) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For some reason mypy flags Type[RowLevelSecurityListWidget]
as being incompatible with Type[SupersetListWidget]
which is required for list_widget
, despite RowLevelSecurityListWidget
extending from SupersetListWidget
. Either I'm missing something fundamental here, or mypy is just flagging a false positive.
f667c8d
to
8aced2a
Compare
This looks like it adds power/flexibility to RLS without adding unnecessary complexity if you don't want that flexibility. |
…l_access/dashboard_by_id_endpoints * upstream/master: (29 commits) fix(presto): default unknown types to string type (apache#10753) feat(row-level-security): add base filter type and filter grouping (apache#10946) docs: add gallery screenshot & link in README (apache#10988) docs: add a "Gallery" page (apache#10968) build: add PR lint action (apache#10990) adding filters back that caused issues (apache#10989) chore: selectors refactor in SQLLab test suite (Cypress) (apache#10944) ESLint: Remove ts-ignore comments (apache#10933) style: fix checkbox color (apache#10970) fix: changed disabled rules in datasets module (apache#10979) fix: update the time filter for 'Last Year' option in explore (apache#10829) fix: use nullpool even for user lookup in the celery (apache#10938) Allow empty observations in alerting (apache#10939) fix: re-enabling several globally disabled lint rules (apache#10957) fix: setting specific exceptions common/query_context.py (apache#10942) Pylint disabled rule `pointless-string-statement` is not raising warining anymore - removing (apache#10975) fix: pylint disabled rules in dashboard/api.py (apache#10976) fix: removed disabled lint rule `too-many-locals` in connectors/base/models.py (apache#10958) ESLint: Re-enable rule no-access-state-in-setstate (apache#10870) fix: simply is_adhoc_metric (apache#10964) ...
…pache#10946) * feat(row-level-security): add filter type and group key * simplify tests and add custom list widget * address comments * use enum value to ensure case sensitive value is used
SUMMARY
This PR adds two new fields to Row Level Security Filters (RLS):
1 = 0
, which will always be false.department = 'A' AND department = 'B'
. For these cases a group keydepartment
can be assigned to both RLS filters, after which they are ORed together (=union).Example:
RLS filters:
This would render the following extra clauses:
(date > now - 1 year) AND (region = 'domestic')
(date > now - 1 year OR date > now - 10 year) AND (region = 'domestic')
(date > now - 1 year) AND (region = 'domestic' OR region = 'foreign')
(date > now - 1 year OR date > now - 10 year) AND (region = 'domestic' OR region = 'foreign')
This change is backwards compatible, meaning that current filters will continue to function as before.
SCREENSHOTS
Add/Edit:
The custom list view. Note that Roles display "Not [Admin]" for base filters that apply to all except Admin and "All" when no roles have been excluded:
TEST PLAN
CI + new tests
ADDITIONAL INFORMATION