Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(security): dbs/clusters perm #10130

Conversation

john-bodley
Copy link
Member

@john-bodley john-bodley commented Jun 22, 2020

SUMMARY

Though both the Database and DruidCluster have a perm property (which is merely a concatenation of either the database or cluster name and record ID), the property only maps to a physical column for the Database model.

The perm column exists is so various permission based queries can be executed to determine if a user can access said data entities. The reason it is not a physical column for the DruidCluster model is probably an oversight as this logic is rarely used. Note this PR addresses the inconsistency.

Rather than storing the perm in the database I thought there was merit in deprecating the dbs.perm column and replacing it with a SQLAlchemy hybrid attribute. These hybrid attributes act like virtual columns and function in both Python and SQL (a SQL expression has been provided to deal with the casting of the id column to a string). If people are ok with these hybrid attributes I wonder if there's merit in deprecating all of the physical perm columns.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TEST PLAN

CI and added additional unit tests.

ADDITIONAL INFORMATION

  • Has associated issue:
  • Changes UI
  • Requires DB Migration.
  • Confirm DB Migration upgrade and downgrade tested.
  • Introduces new feature or API
  • Removes existing feature or API

@john-bodley john-bodley force-pushed the john-bodley--dbs-and-clusters-hybrid-perm branch from 8842a35 to cd4da3e Compare June 22, 2020 05:19
@john-bodley john-bodley force-pushed the john-bodley--dbs-and-clusters-hybrid-perm branch from cd4da3e to 5d6be73 Compare June 22, 2020 05:32
@john-bodley john-bodley force-pushed the john-bodley--dbs-and-clusters-hybrid-perm branch from 5d6be73 to ff956af Compare June 22, 2020 05:55
Copy link
Member

@villebro villebro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice! First pass comments.

Comment on lines +652 to +653
def get_perm(self) -> str:
return self.perm # type: ignore
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there some reason we want to keep this around and not just reference perm wherever needed?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@villbro it’s required here. Note the set_perm callback is still required as it has other logic besides merely setting the perm column. For the dbs and clusters table perm and get_perm are equivalent and hence no database record will be updated (this has always been the case for the clusters table).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -244,7 +244,7 @@ def can_access_database(self, database: Union["Database", "DruidCluster"]) -> bo
return (
self.can_access_all_datasources()
or self.can_access_all_databases()
or self.can_access("database_access", database.perm)
or self.can_access("database_access", database.perm) # type: ignore
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised type checking has to be muted. Apparently mypy isn't comfortable with hybrid properties?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it struggles to identify which method this refers to.

Copy link
Member

@bkyryliuk bkyryliuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is quite good step towards the cleanup, thanks!
1 thing would be useful to think about -> automatic FAB permission rename on the DB renames

1 more thing would be nice to see in this PR -> keeping FAB with DB permission in sync, e.g. cleaning

Comment on lines +652 to +653
def get_perm(self) -> str:
return self.perm # type: ignore
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@john-bodley
Copy link
Member Author

john-bodley commented Jun 22, 2020

@bkyryliuk could you elaborate some more in relation to:

1 thing would be useful to think about -> automatic FAB permission rename on the DB renames

and

1 more thing would be nice to see in this PR -> keeping FAB with DB permission in sync, e.g. cleaning

If you referring to the possible cascading of renames (I'm not sure if the database perm relates to the datasource per), I think if we moved completely to hybrid attributes this would be solved.

@john-bodley john-bodley merged commit 37777f3 into apache:master Jun 24, 2020
john-bodley added a commit to airbnb/superset-fork that referenced this pull request Jun 24, 2020
Co-authored-by: John Bodley <[email protected]>
(cherry picked from commit 37777f3)
@bkyryliuk
Copy link
Member

@john-bodley actually scratch that, looks like it is already happening in the sync. I've seen some abandoned permissions, but there is probably a difference reason for them.

@bkyryliuk could you elaborate some more in relation to:

1 thing would be useful to think about -> automatic FAB permission rename on the DB renames

and

1 more thing would be nice to see in this PR -> keeping FAB with DB permission in sync, e.g. cleaning

If you referring to the possible cascading of renames (I'm not sure if the database perm relates to the datasource per), I think if we moved completely to hybrid attributes this would be solved.

auxten pushed a commit to auxten/incubator-superset that referenced this pull request Nov 20, 2020
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 0.37.0 labels Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/L 🚢 0.37.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants