mirror of https://github.com/apache/superset.git
232 lines
6.9 KiB
Python
232 lines
6.9 KiB
Python
"""A set of constants and methods to manage permissions and security"""
|
|
from __future__ import absolute_import
|
|
from __future__ import division
|
|
from __future__ import print_function
|
|
from __future__ import unicode_literals
|
|
|
|
import logging
|
|
from flask_appbuilder.security.sqla import models as ab_models
|
|
|
|
from superset import conf, db, sm
|
|
from superset.models import core as models
|
|
from superset.connectors.connector_registry import ConnectorRegistry
|
|
|
|
|
|
READ_ONLY_MODEL_VIEWS = {
|
|
'DatabaseAsync',
|
|
'DatabaseView',
|
|
'DruidClusterModelView',
|
|
}
|
|
|
|
GAMMA_READ_ONLY_MODEL_VIEWS = {
|
|
'SqlMetricInlineView',
|
|
'TableColumnInlineView',
|
|
'TableModelView',
|
|
'DruidColumnInlineView',
|
|
'DruidDatasourceModelView',
|
|
'DruidMetricInlineView',
|
|
} | READ_ONLY_MODEL_VIEWS
|
|
|
|
ADMIN_ONLY_VIEW_MENUS = {
|
|
'AccessRequestsModelView',
|
|
'Manage',
|
|
'SQL Lab',
|
|
'Queries',
|
|
'Refresh Druid Metadata',
|
|
'ResetPasswordView',
|
|
'RoleModelView',
|
|
'Security',
|
|
'UserDBModelView',
|
|
}
|
|
|
|
ADMIN_ONLY_PERMISSIONS = {
|
|
'all_database_access',
|
|
'can_sql_json', # TODO: move can_sql_json to sql_lab role
|
|
'can_override_role_permissions',
|
|
'can_sync_druid_source',
|
|
'can_override_role_permissions',
|
|
'can_approve',
|
|
'can_update_role',
|
|
}
|
|
|
|
READ_ONLY_PERMISSION = {
|
|
'can_show',
|
|
'can_list',
|
|
}
|
|
|
|
ALPHA_ONLY_PERMISSIONS = set([
|
|
'muldelete',
|
|
'all_datasource_access',
|
|
])
|
|
|
|
OBJECT_SPEC_PERMISSIONS = set([
|
|
'database_access',
|
|
'schema_access',
|
|
'datasource_access',
|
|
'metric_access',
|
|
])
|
|
|
|
|
|
def merge_perm(sm, permission_name, view_menu_name):
|
|
# Implementation copied from sm.find_permission_view_menu.
|
|
# TODO: use sm.find_permission_view_menu once issue
|
|
# https://github.com/airbnb/superset/issues/1944 is resolved.
|
|
permission = sm.find_permission(permission_name)
|
|
view_menu = sm.find_view_menu(view_menu_name)
|
|
pv = None
|
|
if permission and view_menu:
|
|
pv = sm.get_session.query(sm.permissionview_model).filter_by(
|
|
permission=permission, view_menu=view_menu).first()
|
|
if not pv and permission_name and view_menu_name:
|
|
sm.add_permission_view_menu(permission_name, view_menu_name)
|
|
|
|
|
|
def is_user_defined_permission(perm):
|
|
return perm.permission.name in OBJECT_SPEC_PERMISSIONS
|
|
|
|
|
|
def get_or_create_main_db():
|
|
logging.info("Creating database reference")
|
|
dbobj = (
|
|
db.session.query(models.Database)
|
|
.filter_by(database_name='main')
|
|
.first()
|
|
)
|
|
if not dbobj:
|
|
dbobj = models.Database(database_name="main")
|
|
dbobj.set_sqlalchemy_uri(conf.get("SQLALCHEMY_DATABASE_URI"))
|
|
dbobj.expose_in_sqllab = True
|
|
dbobj.allow_run_sync = True
|
|
db.session.add(dbobj)
|
|
db.session.commit()
|
|
return dbobj
|
|
|
|
|
|
def is_admin_only(pvm):
|
|
# not readonly operations on read only model views allowed only for admins
|
|
if (pvm.view_menu.name in READ_ONLY_MODEL_VIEWS and
|
|
pvm.permission.name not in READ_ONLY_PERMISSION):
|
|
return True
|
|
return (pvm.view_menu.name in ADMIN_ONLY_VIEW_MENUS or
|
|
pvm.permission.name in ADMIN_ONLY_PERMISSIONS)
|
|
|
|
|
|
def is_alpha_only(pvm):
|
|
if (pvm.view_menu.name in GAMMA_READ_ONLY_MODEL_VIEWS and
|
|
pvm.permission.name not in READ_ONLY_PERMISSION):
|
|
return True
|
|
return pvm.permission.name in ALPHA_ONLY_PERMISSIONS
|
|
|
|
|
|
def is_admin_pvm(pvm):
|
|
return not is_user_defined_permission(pvm)
|
|
|
|
|
|
def is_alpha_pvm(pvm):
|
|
return not (is_user_defined_permission(pvm) or is_admin_only(pvm))
|
|
|
|
|
|
def is_gamma_pvm(pvm):
|
|
return not (is_user_defined_permission(pvm) or is_admin_only(pvm) or
|
|
is_alpha_only(pvm))
|
|
|
|
|
|
def is_sql_lab_pvm(pvm):
|
|
return pvm.view_menu.name in {'SQL Lab'} or pvm.permission.name in {
|
|
'can_sql_json', 'can_csv', 'can_search_queries'}
|
|
|
|
|
|
def is_granter_pvm(pvm):
|
|
return pvm.permission.name in {'can_override_role_permissions',
|
|
'can_approve'}
|
|
|
|
|
|
def set_role(role_name, pvms, pvm_check):
|
|
logging.info("Syncing {} perms".format(role_name))
|
|
role = sm.add_role(role_name)
|
|
role_pvms = [p for p in pvms if pvm_check(p)]
|
|
role.permissions = role_pvms
|
|
sesh = sm.get_session()
|
|
sesh.merge(role)
|
|
sesh.commit()
|
|
|
|
|
|
def create_custom_permissions():
|
|
# Global perms
|
|
merge_perm(sm, 'all_datasource_access', 'all_datasource_access')
|
|
merge_perm(sm, 'all_database_access', 'all_database_access')
|
|
|
|
|
|
def create_missing_datasource_perms(view_menu_set):
|
|
logging.info("Creating missing datasource permissions.")
|
|
datasources = ConnectorRegistry.get_all_datasources(
|
|
db.session)
|
|
for datasource in datasources:
|
|
if datasource and datasource.perm not in view_menu_set:
|
|
merge_perm(sm, 'datasource_access', datasource.get_perm())
|
|
if datasource.schema_perm:
|
|
merge_perm(sm, 'schema_access', datasource.schema_perm)
|
|
|
|
|
|
def create_missing_database_perms(view_menu_set):
|
|
logging.info("Creating missing database permissions.")
|
|
databases = db.session.query(models.Database).all()
|
|
for database in databases:
|
|
if database and database.perm not in view_menu_set:
|
|
merge_perm(sm, 'database_access', database.perm)
|
|
|
|
|
|
def create_missing_metrics_perm(view_menu_set):
|
|
"""Create permissions for restricted metrics
|
|
|
|
:param metrics: a list of metrics to be processed, if not specified,
|
|
all metrics are processed
|
|
:type metrics: models.SqlMetric or models.DruidMetric
|
|
"""
|
|
logging.info("Creating missing metrics permissions")
|
|
metrics = []
|
|
for datasource_class in ConnectorRegistry.sources.values():
|
|
metrics += list(db.session.query(datasource_class.metric_class).all())
|
|
|
|
for metric in metrics:
|
|
if (metric.is_restricted and metric.perm and
|
|
metric.perm not in view_menu_set):
|
|
merge_perm(sm, 'metric_access', metric.perm)
|
|
|
|
|
|
def sync_role_definitions():
|
|
"""Inits the Superset application with security roles and such"""
|
|
logging.info("Syncing role definition")
|
|
|
|
get_or_create_main_db()
|
|
create_custom_permissions()
|
|
|
|
pvms = db.session.query(ab_models.PermissionView).all()
|
|
pvms = [p for p in pvms if p.permission and p.view_menu]
|
|
|
|
# cleanup
|
|
pvms_to_delete = [p for p in pvms if not (p.permission and p.view_menu)]
|
|
|
|
for pvm_to_delete in pvms_to_delete:
|
|
sm.get_session.delete(pvm_to_delete)
|
|
|
|
# Creating default roles
|
|
set_role('Admin', pvms, is_admin_pvm)
|
|
set_role('Alpha', pvms, is_alpha_pvm)
|
|
set_role('Gamma', pvms, is_gamma_pvm)
|
|
set_role('granter', pvms, is_granter_pvm)
|
|
set_role('sql_lab', pvms, is_sql_lab_pvm)
|
|
|
|
if conf.get('PUBLIC_ROLE_LIKE_GAMMA', False):
|
|
set_role('Public', pvms, is_gamma_pvm)
|
|
|
|
view_menu_set = []
|
|
for datasource_class in ConnectorRegistry.sources.values():
|
|
view_menu_set += list(db.session.query(datasource_class).all())
|
|
create_missing_datasource_perms(view_menu_set)
|
|
create_missing_database_perms(view_menu_set)
|
|
create_missing_metrics_perm(view_menu_set)
|
|
|
|
# commit role and view menu updates
|
|
sm.get_session.commit()
|