Add feature flags to control query sharing, KV exposure

[willbarrett]

CATEGORY

Choose one

• Bug Fix
• Enhancement (new features, refinement)
• Refactor
• Add tests
• Build / Development Environment
• Documentation

SUMMARY

Preset would like query sharing to abide by the rules of query visibility used in the rest of the project. To accomplish this, we have updated the Share Query button to leverage the saved query functionality rather than the KV model, with a feature flag should other organizations want to maintain the current functionality. We have also added a feature flag to disable the /kv endpoints entirely. They appear to be used only for query sharing inside of the Superset project, but we do not know how these are leveraged in other systems.

Note that following the link to the saved query will open the saved query in SQLLab, rather than the current behavior, which is to open a copy of the saved query in SQLLab.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

"Save Query" toast after the change:
With an unsaved query:

With a saved query:

TEST PLAN

ADDITIONAL INFORMATION

• Has associated issue:
• Changes UI
• Requires DB Migration.
• Confirm DB Migration upgrade and downgrade tested.
• Introduces new feature or API
• Removes existing feature or API

REVIEWERS

@robdiciuccio @etr2460 @suddjian @dpgaspar

[suddjian]

.bind(this) is only necessary when you are going to be passing this.getCopyUrlForKvStore around as a separate variable. If it's only called via this.getCopyUrlForKvStore() then this will be bound correctly and these lines are unnecessary.

[willbarrett]

I'll try removing them - I had to add them at one point to get things functioning.

[suddjian]

Looks good - very minor clarity nit

[etr2460]

This seems like a pretty major product/functionality change as far as completely removing the concept of one-off query sharing (i'm pretty sure the kv endpoints are also used for one-off chart sharing too). What tradeoffs were considered when thinking about this feature removal? I personally make use of the query and chart sharing features all the time.

cc @sylvia-tomiyama for her take too

[willbarrett]

@etr2460 the unsecured/unvalidated/unowned /kv/ endpoints are unacceptable from a security standpoint to Preset. We've provided feature flags so that other organizations can continue using the system as-is. The Cartel designs have a different model entirely for sharing, so we view this fix as a stop-gap in advance of that work.

[etr2460]

Could you expand a bit on the insecure nature of the /kv endpoints? It was my understanding that they'd let you view a query/chart form data, but actually running the query would still be dependent on the security manager granting you access to the base level datasources. They seem not unlike the google doc link sharing feature, and if the predictable nature of the urls is an issue then simply using a random key would resolve that issue.

[willbarrett]

@etr2460 I'll expand directly with you in Slack. I don't wish to have a detailed security-related conversation publicly.

[etr2460]

The summary of the conversation was to add some documentation about how to reenable the feature if desired and update the UPDATING.md file

[willbarrett]

@etr2460 let me know if that entry in UPDATING.md fits your needs or if there's somewhere else you'd like me to drop a note as well.

[etr2460]

a couple requests, looks good otherwise

[etr2460]

These should always be run in our test environment whether the flag is enabled or disabled. Can you set the feature flag to on before running them?

[willbarrett]

@etr2460 I spent an hour banging my head against it, and was unable to find an approach to modify feature flags after they were initialized without breaking the whole suite. I'm very open to recommendations.

[dpgaspar]

Could enabling this feature on just for the tests be a viable approach? superset_test_config.py

[etr2460]

In this case it would be, since the feature flag only removes functionality and doesn't add anything different. that said, I think we should be able to test both sides of the feature flag here, do you know how to do this @dpgaspar ?

Maybe mocking the feature flag checking function?

[willbarrett]

The issue in this case is that the application is booted once for the test suite and the feature flag changes the nature of the instantiation. This is a boot-time flag, not a run-time check. For this PR I'll go ahead and enable it for tests.

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (master@e5c7adf). Click here to learn what that means.
The diff coverage is 50%.

@@            Coverage Diff            @@
##             master    #9120   +/-   ##
=========================================
  Coverage          ?   59.08%           
=========================================
  Files             ?      372           
  Lines             ?    11933           
  Branches          ?     2921           
=========================================
  Hits              ?     7051           
  Misses            ?     4700           
  Partials          ?      182

Impacted Files	Coverage Δ
...frontend/src/dashboard/components/MissingChart.jsx	100% <ø> (ø)
superset-frontend/src/chart/chartAction.js	43.33% <50%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e5c7adf...dbe24cb. Read the comment docs.

[dpgaspar]

LGTM, currently has conflicts with master

[etr2460]

lgtm, thanks for the documentation!