mirror of https://github.com/apache/superset.git
fix: reorganize role permissions (#23096)
This commit is contained in:
parent
c7823e32ff
commit
d4362a3676
|
@ -137,6 +137,7 @@ class QueryRestApi(BaseSupersetModelRestApi):
|
|||
base_related_field_filters = {
|
||||
"created_by": [["id", BaseFilterRelatedUsers, lambda: []]],
|
||||
"user": [["id", BaseFilterRelatedUsers, lambda: []]],
|
||||
"database": [["id", DatabaseFilter, lambda: []]],
|
||||
}
|
||||
related_field_filters = {
|
||||
"created_by": RelatedFieldFilter("first_name", FilterRelatedOwners),
|
||||
|
@ -145,7 +146,6 @@ class QueryRestApi(BaseSupersetModelRestApi):
|
|||
|
||||
search_columns = ["changed_on", "database", "sql", "status", "user", "start_time"]
|
||||
|
||||
base_related_field_filters = {"database": [["id", DatabaseFilter, lambda: []]]}
|
||||
allowed_rel_fields = {"database", "user"}
|
||||
allowed_distinct_fields = {"status"}
|
||||
|
||||
|
|
|
@ -154,40 +154,53 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods
|
|||
READ_ONLY_MODEL_VIEWS = {"Database", "DruidClusterModelView", "DynamicPlugin"}
|
||||
|
||||
USER_MODEL_VIEWS = {
|
||||
"RegisterUserModelView",
|
||||
"UserDBModelView",
|
||||
"UserLDAPModelView",
|
||||
"UserInfoEditView",
|
||||
"UserOAuthModelView",
|
||||
"UserOIDModelView",
|
||||
"UserRemoteUserModelView",
|
||||
}
|
||||
|
||||
GAMMA_READ_ONLY_MODEL_VIEWS = {
|
||||
"Annotation",
|
||||
"CssTemplate",
|
||||
"Dataset",
|
||||
"Datasource",
|
||||
"CssTemplate",
|
||||
} | READ_ONLY_MODEL_VIEWS
|
||||
|
||||
ADMIN_ONLY_VIEW_MENUS = {
|
||||
"Access Requests",
|
||||
"AccessRequestsModelView",
|
||||
"SQL Lab",
|
||||
"Action Log",
|
||||
"Log",
|
||||
"List Users",
|
||||
"List Roles",
|
||||
"Refresh Druid Metadata",
|
||||
"ResetPasswordView",
|
||||
"RoleModelView",
|
||||
"Log",
|
||||
"Security",
|
||||
"Row Level Security",
|
||||
"Row Level Security Filters",
|
||||
"RowLevelSecurityFiltersModelView",
|
||||
"Security",
|
||||
"SQL Lab",
|
||||
} | USER_MODEL_VIEWS
|
||||
|
||||
ALPHA_ONLY_VIEW_MENUS = {
|
||||
"Manage",
|
||||
"CSS Templates",
|
||||
"Annotation Layers",
|
||||
"Queries",
|
||||
"Import dashboards",
|
||||
"Upload a CSV",
|
||||
"ReportSchedule",
|
||||
"Alerts & Report",
|
||||
"TableSchemaView",
|
||||
"CsvToDatabaseView",
|
||||
"ColumnarToDatabaseView",
|
||||
"ExcelToDatabaseView",
|
||||
"ImportExportRestApi",
|
||||
}
|
||||
|
||||
ADMIN_ONLY_PERMISSIONS = {
|
||||
|
@ -199,6 +212,7 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods
|
|||
"all_query_access",
|
||||
"can_grant_guest_token",
|
||||
"can_set_embedded",
|
||||
"can_warm_up_cache",
|
||||
}
|
||||
|
||||
READ_ONLY_PERMISSION = {
|
||||
|
@ -222,16 +236,33 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods
|
|||
"datasource_access",
|
||||
}
|
||||
|
||||
ACCESSIBLE_PERMS = {"can_userinfo", "resetmypassword"}
|
||||
ACCESSIBLE_PERMS = {"can_userinfo", "resetmypassword", "can_recent_activity"}
|
||||
|
||||
SQLLAB_ONLY_PERMISSIONS = {
|
||||
("can_my_queries", "SqlLab"),
|
||||
("can_read", "SavedQuery"),
|
||||
("can_sql_json", "Superset"),
|
||||
("can_write", "SavedQuery"),
|
||||
("can_export", "SavedQuery"),
|
||||
("can_read", "Query"),
|
||||
("can_export_csv", "Query"),
|
||||
("can_get_results", "SQLLab"),
|
||||
("can_execute_sql_query", "SQLLab"),
|
||||
("can_export_csv", "SQLLab"),
|
||||
("can_sql_json", "Superset"), # Deprecated permission remove on 3.0.0
|
||||
("can_sqllab_history", "Superset"),
|
||||
("can_sqllab_viz", "Superset"),
|
||||
("can_sqllab_table_viz", "Superset"),
|
||||
("can_sqllab_table_viz", "Superset"), # Deprecated permission remove on 3.0.0
|
||||
("can_sqllab", "Superset"),
|
||||
("can_stop_query", "Superset"), # Deprecated permission remove on 3.0.0
|
||||
("can_test_conn", "Superset"), # Deprecated permission remove on 3.0.0
|
||||
("can_search_queries", "Superset"), # Deprecated permission remove on 3.0.0
|
||||
("can_activate", "TabStateView"),
|
||||
("can_get", "TabStateView"),
|
||||
("can_delete_query", "TabStateView"),
|
||||
("can_post", "TabStateView"),
|
||||
("can_delete", "TabStateView"),
|
||||
("can_put", "TabStateView"),
|
||||
("can_migrate_query", "TabStateView"),
|
||||
("menu_access", "SQL Lab"),
|
||||
("menu_access", "SQL Editor"),
|
||||
("menu_access", "Saved Queries"),
|
||||
|
@ -239,7 +270,7 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods
|
|||
}
|
||||
|
||||
SQLLAB_EXTRA_PERMISSION_VIEWS = {
|
||||
("can_csv", "Superset"),
|
||||
("can_csv", "Superset"), # Deprecated permission remove on 3.0.0
|
||||
("can_read", "Superset"),
|
||||
("can_read", "Database"),
|
||||
}
|
||||
|
|
|
@ -68,7 +68,7 @@ class SqlLabRestApi(BaseSupersetApi):
|
|||
resource_name = "sqllab"
|
||||
allow_browser_login = True
|
||||
|
||||
class_permission_name = "Query"
|
||||
class_permission_name = "SQLLab"
|
||||
|
||||
execute_model_schema = ExecutePayloadSchema()
|
||||
|
||||
|
|
|
@ -202,6 +202,10 @@ class TestQueryApi(SupersetTestCase):
|
|||
gamma2 = self.create_user(
|
||||
"gamma_2", "password", "Gamma", email="gamma2@superset.org"
|
||||
)
|
||||
# Add SQLLab role to these gamma users, so they have access to queries
|
||||
sqllab_role = self.get_role("sql_lab")
|
||||
gamma1.roles.append(sqllab_role)
|
||||
gamma2.roles.append(sqllab_role)
|
||||
|
||||
gamma1_client_id = self.get_random_string()
|
||||
gamma2_client_id = self.get_random_string()
|
||||
|
@ -383,7 +387,7 @@ class TestQueryApi(SupersetTestCase):
|
|||
sql="SELECT col1, col2 from table1",
|
||||
)
|
||||
|
||||
self.login(username="gamma")
|
||||
self.login(username="gamma_sqllab")
|
||||
arguments = {"filters": [{"col": "sql", "opr": "sw", "value": "SELECT col1"}]}
|
||||
uri = f"api/v1/query/?q={prison.dumps(arguments)}"
|
||||
rv = self.client.get(uri)
|
||||
|
|
|
@ -748,7 +748,7 @@ class TestSavedQueryApi(SupersetTestCase):
|
|||
db.session.query(SavedQuery).filter(SavedQuery.created_by == admin).first()
|
||||
)
|
||||
|
||||
self.login(username="gamma")
|
||||
self.login(username="gamma_sqllab")
|
||||
argument = [sample_query.id]
|
||||
uri = f"api/v1/saved_query/export/?q={prison.dumps(argument)}"
|
||||
rv = self.client.get(uri)
|
||||
|
|
|
@ -1332,8 +1332,11 @@ class TestRolePermission(SupersetTestCase):
|
|||
self.assertNotIn(("menu_access", view_menu), permissions_set)
|
||||
|
||||
def assert_cannot_gamma(self, perm_set):
|
||||
self.assert_cannot_write("Annotation", perm_set)
|
||||
self.assert_cannot_write("CssTemplate", perm_set)
|
||||
self.assert_cannot_menu("SQL Lab", perm_set)
|
||||
self.assert_cannot_menu("CSS Templates", perm_set)
|
||||
self.assert_cannot_menu("Annotation Layers", perm_set)
|
||||
self.assert_cannot_menu("Manage", perm_set)
|
||||
self.assert_cannot_menu("Queries", perm_set)
|
||||
self.assert_cannot_menu("Import dashboards", perm_set)
|
||||
|
@ -1374,7 +1377,6 @@ class TestRolePermission(SupersetTestCase):
|
|||
self.assert_can_all("Annotation", perm_set)
|
||||
self.assert_can_all("CssTemplate", perm_set)
|
||||
self.assert_can_all("Dataset", perm_set)
|
||||
self.assert_can_read("Query", perm_set)
|
||||
self.assert_can_read("Database", perm_set)
|
||||
self.assertIn(("can_import_dashboards", "Superset"), perm_set)
|
||||
self.assertIn(("can_this_form_post", "CsvToDatabaseView"), perm_set)
|
||||
|
@ -1504,6 +1506,8 @@ class TestRolePermission(SupersetTestCase):
|
|||
self.assert_can_gamma(alpha_perm_tuples)
|
||||
self.assert_can_alpha(alpha_perm_tuples)
|
||||
self.assert_cannot_alpha(alpha_perm_tuples)
|
||||
self.assertNotIn(("can_this_form_get", "UserInfoEditView"), alpha_perm_tuples)
|
||||
self.assertNotIn(("can_this_form_post", "UserInfoEditView"), alpha_perm_tuples)
|
||||
|
||||
@pytest.mark.usefixtures("load_world_bank_dashboard_with_slices")
|
||||
def test_admin_permissions(self):
|
||||
|
@ -1548,6 +1552,8 @@ class TestRolePermission(SupersetTestCase):
|
|||
# make sure that user can create slices and dashboards
|
||||
self.assert_can_all("Dashboard", gamma_perm_set)
|
||||
self.assert_can_read("Dataset", gamma_perm_set)
|
||||
self.assert_can_read("Annotation", gamma_perm_set)
|
||||
self.assert_can_read("CssTemplate", gamma_perm_set)
|
||||
|
||||
# make sure that user can create slices and dashboards
|
||||
self.assert_can_all("Chart", gamma_perm_set)
|
||||
|
|
Loading…
Reference in New Issue