mirror of
https://github.com/apache/superset.git
synced 2024-09-16 10:39:55 -04:00
[security] make it easier to redefine Alpha/Gamma (#7036)
* [security] make it easier to redefine Alpha/Gamma While talking about some security aspect and as to how you'd alter Alpha or Gamma role in a specific environment, I realized that these module-scoped constants would be much more useful as class attributes. This way, someone can override these sets in their security manager to alter base roles. * fix * flake8
This commit is contained in:
parent
a1d4635627
commit
c5bdbc0964
@ -27,30 +27,32 @@ from superset import sql_parse
|
|||||||
from superset.connectors.connector_registry import ConnectorRegistry
|
from superset.connectors.connector_registry import ConnectorRegistry
|
||||||
from superset.exceptions import SupersetSecurityException
|
from superset.exceptions import SupersetSecurityException
|
||||||
|
|
||||||
READ_ONLY_MODEL_VIEWS = {
|
|
||||||
|
class SupersetSecurityManager(SecurityManager):
|
||||||
|
READ_ONLY_MODEL_VIEWS = {
|
||||||
'DatabaseAsync',
|
'DatabaseAsync',
|
||||||
'DatabaseView',
|
'DatabaseView',
|
||||||
'DruidClusterModelView',
|
'DruidClusterModelView',
|
||||||
}
|
}
|
||||||
|
|
||||||
USER_MODEL_VIEWS = {
|
USER_MODEL_VIEWS = {
|
||||||
'UserDBModelView',
|
'UserDBModelView',
|
||||||
'UserLDAPModelView',
|
'UserLDAPModelView',
|
||||||
'UserOAuthModelView',
|
'UserOAuthModelView',
|
||||||
'UserOIDModelView',
|
'UserOIDModelView',
|
||||||
'UserRemoteUserModelView',
|
'UserRemoteUserModelView',
|
||||||
}
|
}
|
||||||
|
|
||||||
GAMMA_READ_ONLY_MODEL_VIEWS = {
|
GAMMA_READ_ONLY_MODEL_VIEWS = {
|
||||||
'SqlMetricInlineView',
|
'SqlMetricInlineView',
|
||||||
'TableColumnInlineView',
|
'TableColumnInlineView',
|
||||||
'TableModelView',
|
'TableModelView',
|
||||||
'DruidColumnInlineView',
|
'DruidColumnInlineView',
|
||||||
'DruidDatasourceModelView',
|
'DruidDatasourceModelView',
|
||||||
'DruidMetricInlineView',
|
'DruidMetricInlineView',
|
||||||
} | READ_ONLY_MODEL_VIEWS
|
} | READ_ONLY_MODEL_VIEWS
|
||||||
|
|
||||||
ADMIN_ONLY_VIEW_MENUS = {
|
ADMIN_ONLY_VIEW_MENUS = {
|
||||||
'AccessRequestsModelView',
|
'AccessRequestsModelView',
|
||||||
'Manage',
|
'Manage',
|
||||||
'SQL Lab',
|
'SQL Lab',
|
||||||
@ -59,13 +61,13 @@ ADMIN_ONLY_VIEW_MENUS = {
|
|||||||
'ResetPasswordView',
|
'ResetPasswordView',
|
||||||
'RoleModelView',
|
'RoleModelView',
|
||||||
'Security',
|
'Security',
|
||||||
} | USER_MODEL_VIEWS
|
} | USER_MODEL_VIEWS
|
||||||
|
|
||||||
ALPHA_ONLY_VIEW_MENUS = {
|
ALPHA_ONLY_VIEW_MENUS = {
|
||||||
'Upload a CSV',
|
'Upload a CSV',
|
||||||
}
|
}
|
||||||
|
|
||||||
ADMIN_ONLY_PERMISSIONS = {
|
ADMIN_ONLY_PERMISSIONS = {
|
||||||
'all_database_access',
|
'all_database_access',
|
||||||
'can_sql_json', # TODO: move can_sql_json to sql_lab role
|
'can_sql_json', # TODO: move can_sql_json to sql_lab role
|
||||||
'can_override_role_permissions',
|
'can_override_role_permissions',
|
||||||
@ -73,27 +75,24 @@ ADMIN_ONLY_PERMISSIONS = {
|
|||||||
'can_override_role_permissions',
|
'can_override_role_permissions',
|
||||||
'can_approve',
|
'can_approve',
|
||||||
'can_update_role',
|
'can_update_role',
|
||||||
}
|
}
|
||||||
|
|
||||||
READ_ONLY_PERMISSION = {
|
READ_ONLY_PERMISSION = {
|
||||||
'can_show',
|
'can_show',
|
||||||
'can_list',
|
'can_list',
|
||||||
}
|
}
|
||||||
|
|
||||||
ALPHA_ONLY_PERMISSIONS = set([
|
ALPHA_ONLY_PERMISSIONS = set([
|
||||||
'muldelete',
|
'muldelete',
|
||||||
'all_datasource_access',
|
'all_datasource_access',
|
||||||
])
|
])
|
||||||
|
|
||||||
OBJECT_SPEC_PERMISSIONS = set([
|
OBJECT_SPEC_PERMISSIONS = set([
|
||||||
'database_access',
|
'database_access',
|
||||||
'schema_access',
|
'schema_access',
|
||||||
'datasource_access',
|
'datasource_access',
|
||||||
'metric_access',
|
'metric_access',
|
||||||
])
|
])
|
||||||
|
|
||||||
|
|
||||||
class SupersetSecurityManager(SecurityManager):
|
|
||||||
|
|
||||||
def get_schema_perm(self, database, schema):
|
def get_schema_perm(self, database, schema):
|
||||||
if schema:
|
if schema:
|
||||||
@ -263,7 +262,7 @@ class SupersetSecurityManager(SecurityManager):
|
|||||||
self.add_permission_view_menu(permission_name, view_menu_name)
|
self.add_permission_view_menu(permission_name, view_menu_name)
|
||||||
|
|
||||||
def is_user_defined_permission(self, perm):
|
def is_user_defined_permission(self, perm):
|
||||||
return perm.permission.name in OBJECT_SPEC_PERMISSIONS
|
return perm.permission.name in self.OBJECT_SPEC_PERMISSIONS
|
||||||
|
|
||||||
def create_custom_permissions(self):
|
def create_custom_permissions(self):
|
||||||
# Global perms
|
# Global perms
|
||||||
@ -359,21 +358,21 @@ class SupersetSecurityManager(SecurityManager):
|
|||||||
|
|
||||||
def is_admin_only(self, pvm):
|
def is_admin_only(self, pvm):
|
||||||
# not readonly operations on read only model views allowed only for admins
|
# not readonly operations on read only model views allowed only for admins
|
||||||
if (pvm.view_menu.name in READ_ONLY_MODEL_VIEWS and
|
if (pvm.view_menu.name in self.READ_ONLY_MODEL_VIEWS and
|
||||||
pvm.permission.name not in READ_ONLY_PERMISSION):
|
pvm.permission.name not in self.READ_ONLY_PERMISSION):
|
||||||
return True
|
return True
|
||||||
return (
|
return (
|
||||||
pvm.view_menu.name in ADMIN_ONLY_VIEW_MENUS or
|
pvm.view_menu.name in self.ADMIN_ONLY_VIEW_MENUS or
|
||||||
pvm.permission.name in ADMIN_ONLY_PERMISSIONS
|
pvm.permission.name in self.ADMIN_ONLY_PERMISSIONS
|
||||||
)
|
)
|
||||||
|
|
||||||
def is_alpha_only(self, pvm):
|
def is_alpha_only(self, pvm):
|
||||||
if (pvm.view_menu.name in GAMMA_READ_ONLY_MODEL_VIEWS and
|
if (pvm.view_menu.name in self.GAMMA_READ_ONLY_MODEL_VIEWS and
|
||||||
pvm.permission.name not in READ_ONLY_PERMISSION):
|
pvm.permission.name not in self.READ_ONLY_PERMISSION):
|
||||||
return True
|
return True
|
||||||
return (
|
return (
|
||||||
pvm.view_menu.name in ALPHA_ONLY_VIEW_MENUS or
|
pvm.view_menu.name in self.ALPHA_ONLY_VIEW_MENUS or
|
||||||
pvm.permission.name in ALPHA_ONLY_PERMISSIONS
|
pvm.permission.name in self.ALPHA_ONLY_PERMISSIONS
|
||||||
)
|
)
|
||||||
|
|
||||||
def is_admin_pvm(self, pvm):
|
def is_admin_pvm(self, pvm):
|
||||||
@ -395,7 +394,7 @@ class SupersetSecurityManager(SecurityManager):
|
|||||||
'can_sql_json', 'can_csv', 'can_search_queries', 'can_sqllab_viz',
|
'can_sql_json', 'can_csv', 'can_search_queries', 'can_sqllab_viz',
|
||||||
'can_sqllab',
|
'can_sqllab',
|
||||||
} or
|
} or
|
||||||
(pvm.view_menu.name in USER_MODEL_VIEWS and
|
(pvm.view_menu.name in self.USER_MODEL_VIEWS and
|
||||||
pvm.permission.name == 'can_list'))
|
pvm.permission.name == 'can_list'))
|
||||||
|
|
||||||
def is_granter_pvm(self, pvm):
|
def is_granter_pvm(self, pvm):
|
||||||
|
Loading…
Reference in New Issue
Block a user