Add per schema permissions. (#1698)

* Add per schema permissions. * Address comments. * Add schema_access perms to the alpha and admin * Create permissions on addition databases and datasources. * Remove hybrid_property. Linter complains.
2024-09-12 08:39:45 -04:00 · 2016-11-29 14:16:55 -05:00 · 2016-11-29 14:16:55 -05:00 · fcb870728d
commit fcb870728d
parent 7919428a1e
4 changed files with 45 additions and 1 deletions
--- a/superset/models.py
+++ b/superset/models.py
@ -907,6 +907,11 @@ class SqlaTable(Model, Queryable, AuditMixinNullable, ImportMixin):
        return Markup(
            '<a href="{self.explore_url}">{table_name}</a>'.format(**locals()))

+    @property
+    def schema_perm(self):
+        """Returns schema permission if present, database one otherwise."""
+        return utils.get_schema_perm(self.database, self.schema)
+
    def get_perm(self):
        return (
            "[{obj.database}].[{obj.table_name}]"
@ -1625,6 +1630,19 @@ class DruidDatasource(Model, AuditMixinNullable, Queryable):
    def name(self):
        return self.datasource_name

+    @property
+    def schema(self):
+        name_pieces = self.datasource_name.split('.')
+        if len(name_pieces) > 1:
+            return name_pieces[0]
+        else:
+            return None
+
+    @property
+    def schema_perm(self):
+        """Returns schema permission if present, cluster one otherwise."""
+        return utils.get_schema_perm(self.cluster, self.schema)
+
    def get_perm(self):
        return (
            "[{obj.cluster_name}].[{obj.datasource_name}]"
--- a/superset/security.py
+++ b/superset/security.py
@ -30,6 +30,7 @@ ADMIN_ONLY_VIEW_MENUES = {
 ADMIN_ONLY_PERMISSIONS = {
    'all_database_access',
    'datasource_access',
+    'schema_access',
    'database_access',
    'can_sql_json',
    'can_override_role_permissions',
@ -50,6 +51,7 @@ ALPHA_ONLY_PERMISSIONS = set([
    'can_edit',
    'can_save',
    'datasource_access',
+    'schema_access',
    'database_access',
    'muldelete',
    'all_datasource_access',
@ -59,6 +61,7 @@ READ_ONLY_PRODUCT = set(

 OBJECT_SPEC_PERMISSIONS = set([
    'database_access',
+    'schema_access',
    'datasource_access',
    'metric_access',
 ])
@ -186,6 +189,9 @@ def sync_role_definitions():
    for datasource in datasources:
        perm = datasource.get_perm()
        sm.add_permission_view_menu('datasource_access', perm)
+        if datasource.schema:
+            sm.add_permission_view_menu(
+                'schema_access', datasource.schema_perm)
        if perm != datasource.perm:
            datasource.perm = perm

--- a/superset/utils.py
+++ b/superset/utils.py
@ -330,6 +330,12 @@ def get_datasource_full_name(database_name, datasource_name, schema=None):
    return "[{}].[{}].[{}]".format(database_name, schema, datasource_name)


+def get_schema_perm(database, schema):
+    if schema:
+        return "[{}].[{}]".format(database, schema)
+    return database.perm
+
+
 def validate_json(obj):
    if obj:
        try:
--- a/superset/views.py
+++ b/superset/views.py
@ -61,10 +61,16 @@ class BaseSupersetView(BaseView):
            self.can_access("database_access", database.perm)
        )

-    def datasource_access(self, datasource):
+    def schema_access(self, datasource):
        return (
            self.database_access(datasource.database) or
            self.all_datasource_access() or
+            self.can_access("schema_access", datasource.schema_perm)
+        )
+
+    def datasource_access(self, datasource):
+        return (
+            self.schema_access(datasource) or
            self.can_access("datasource_access", datasource.perm)
        )

@ -575,6 +581,9 @@ class DatabaseView(SupersetModelView, DeleteMixin):  # noqa
    def pre_add(self, db):
        db.set_sqlalchemy_uri(db.sqlalchemy_uri)
        security.merge_perm(sm, 'database_access', db.perm)
+        for schema in db.all_schema_names():
+            security.merge_perm(
+                sm, 'schema_access', utils.get_schema_perm(db, schema))

    def pre_update(self, db):
        self.pre_add(db)
@ -685,6 +694,9 @@ class TableModelView(SupersetModelView, DeleteMixin):  # noqa
    def post_add(self, table):
        table.fetch_metadata()
        security.merge_perm(sm, 'datasource_access', table.perm)
+        if table.schema:
+            security.merge_perm(sm, 'schema_access', table.schema_perm)
+
        flash(_(
            "The table was created. As part of this two phase configuration "
            "process, you should now click the edit button by "
@ -1049,6 +1061,8 @@ class DruidDatasourceModelView(SupersetModelView, DeleteMixin):  # noqa
    def post_add(self, datasource):
        datasource.generate_metrics()
        security.merge_perm(sm, 'datasource_access', datasource.perm)
+        if datasource.schema:
+            security.merge_perm(sm, 'schema_access', datasource.schema_perm)

    def post_update(self, datasource):
        self.post_add(datasource)