366 lines
13 KiB
Python
366 lines
13 KiB
Python
# -*- coding: utf-8 -*-
|
|
# pylint: disable=C,R,W
|
|
"""A set of constants and methods to manage permissions and security"""
|
|
from __future__ import absolute_import
|
|
from __future__ import division
|
|
from __future__ import print_function
|
|
from __future__ import unicode_literals
|
|
|
|
import logging
|
|
|
|
from flask import g
|
|
from flask_appbuilder.security.sqla import models as ab_models
|
|
from flask_appbuilder.security.sqla.manager import SecurityManager
|
|
from sqlalchemy import or_
|
|
|
|
from superset import sql_parse
|
|
from superset.connectors.connector_registry import ConnectorRegistry
|
|
|
|
READ_ONLY_MODEL_VIEWS = {
|
|
'DatabaseAsync',
|
|
'DatabaseView',
|
|
'DruidClusterModelView',
|
|
}
|
|
|
|
GAMMA_READ_ONLY_MODEL_VIEWS = {
|
|
'SqlMetricInlineView',
|
|
'TableColumnInlineView',
|
|
'TableModelView',
|
|
'DruidColumnInlineView',
|
|
'DruidDatasourceModelView',
|
|
'DruidMetricInlineView',
|
|
} | READ_ONLY_MODEL_VIEWS
|
|
|
|
ADMIN_ONLY_VIEW_MENUS = {
|
|
'AccessRequestsModelView',
|
|
'Manage',
|
|
'SQL Lab',
|
|
'Queries',
|
|
'Refresh Druid Metadata',
|
|
'ResetPasswordView',
|
|
'RoleModelView',
|
|
'Security',
|
|
'UserDBModelView',
|
|
'UserLDAPModelView',
|
|
'UserOAuthModelView',
|
|
'UserOIDModelView',
|
|
'UserRemoteUserModelView',
|
|
}
|
|
|
|
ALPHA_ONLY_VIEW_MENUS = {
|
|
'Upload a CSV',
|
|
}
|
|
|
|
ADMIN_ONLY_PERMISSIONS = {
|
|
'all_database_access',
|
|
'can_sql_json', # TODO: move can_sql_json to sql_lab role
|
|
'can_override_role_permissions',
|
|
'can_sync_druid_source',
|
|
'can_override_role_permissions',
|
|
'can_approve',
|
|
'can_update_role',
|
|
}
|
|
|
|
READ_ONLY_PERMISSION = {
|
|
'can_show',
|
|
'can_list',
|
|
}
|
|
|
|
ALPHA_ONLY_PERMISSIONS = set([
|
|
'muldelete',
|
|
'all_datasource_access',
|
|
])
|
|
|
|
OBJECT_SPEC_PERMISSIONS = set([
|
|
'database_access',
|
|
'schema_access',
|
|
'datasource_access',
|
|
'metric_access',
|
|
])
|
|
|
|
|
|
class SupersetSecurityManager(SecurityManager):
|
|
|
|
def get_schema_perm(self, database, schema):
|
|
if schema:
|
|
return '[{}].[{}]'.format(database, schema)
|
|
|
|
def can_access(self, permission_name, view_name, user=None):
|
|
"""Protecting from has_access failing from missing perms/view"""
|
|
if not user:
|
|
user = g.user
|
|
if user.is_anonymous():
|
|
return self.is_item_public(permission_name, view_name)
|
|
return self._has_view_access(user, permission_name, view_name)
|
|
|
|
def all_datasource_access(self, user=None):
|
|
return self.can_access(
|
|
'all_datasource_access', 'all_datasource_access', user=user)
|
|
|
|
def database_access(self, database, user=None):
|
|
return (
|
|
self.can_access(
|
|
'all_database_access', 'all_database_access', user=user) or
|
|
self.can_access('database_access', database.perm, user=user)
|
|
)
|
|
|
|
def schema_access(self, datasource, user=None):
|
|
return (
|
|
self.database_access(datasource.database, user=user) or
|
|
self.all_datasource_access(user=user) or
|
|
self.can_access('schema_access', datasource.schema_perm, user=user)
|
|
)
|
|
|
|
def datasource_access(self, datasource, user=None):
|
|
return (
|
|
self.schema_access(datasource, user=user) or
|
|
self.can_access('datasource_access', datasource.perm, user=user)
|
|
)
|
|
|
|
def datasource_access_by_name(
|
|
self, database, datasource_name, schema=None):
|
|
from superset import db
|
|
|
|
if self.database_access(database) or self.all_datasource_access():
|
|
return True
|
|
|
|
schema_perm = self.get_schema_perm(database, schema)
|
|
if schema and self.can_access('schema_access', schema_perm):
|
|
return True
|
|
|
|
datasources = ConnectorRegistry.query_datasources_by_name(
|
|
db.session, database, datasource_name, schema=schema)
|
|
for datasource in datasources:
|
|
if self.can_access('datasource_access', datasource.perm):
|
|
return True
|
|
return False
|
|
|
|
def datasource_access_by_fullname(
|
|
self, database, full_table_name, schema):
|
|
table_name_pieces = full_table_name.split('.')
|
|
if len(table_name_pieces) == 2:
|
|
table_schema = table_name_pieces[0]
|
|
table_name = table_name_pieces[1]
|
|
else:
|
|
table_schema = schema
|
|
table_name = table_name_pieces[0]
|
|
return self.datasource_access_by_name(
|
|
database, table_name, schema=table_schema)
|
|
|
|
def rejected_datasources(self, sql, database, schema):
|
|
superset_query = sql_parse.SupersetQuery(sql)
|
|
return [
|
|
t for t in superset_query.tables if not
|
|
self.datasource_access_by_fullname(database, t, schema)]
|
|
|
|
def user_datasource_perms(self):
|
|
datasource_perms = set()
|
|
for r in g.user.roles:
|
|
for perm in r.permissions:
|
|
if (
|
|
perm.permission and
|
|
'datasource_access' == perm.permission.name):
|
|
datasource_perms.add(perm.view_menu.name)
|
|
return datasource_perms
|
|
|
|
def schemas_accessible_by_user(self, database, schemas):
|
|
from superset import db
|
|
from superset.connectors.sqla.models import SqlaTable
|
|
if self.database_access(database) or self.all_datasource_access():
|
|
return schemas
|
|
|
|
subset = set()
|
|
for schema in schemas:
|
|
schema_perm = self.get_schema_perm(database, schema)
|
|
if self.can_access('schema_access', schema_perm):
|
|
subset.add(schema)
|
|
|
|
perms = self.user_datasource_perms()
|
|
if perms:
|
|
tables = (
|
|
db.session.query(SqlaTable)
|
|
.filter(
|
|
SqlaTable.perm.in_(perms),
|
|
SqlaTable.database_id == database.id,
|
|
)
|
|
.all()
|
|
)
|
|
for t in tables:
|
|
if t.schema:
|
|
subset.add(t.schema)
|
|
return sorted(list(subset))
|
|
|
|
def accessible_by_user(self, database, datasource_names, schema=None):
|
|
from superset import db
|
|
if self.database_access(database) or self.all_datasource_access():
|
|
return datasource_names
|
|
|
|
if schema:
|
|
schema_perm = self.get_schema_perm(database, schema)
|
|
if self.can_access('schema_access', schema_perm):
|
|
return datasource_names
|
|
|
|
user_perms = self.user_datasource_perms()
|
|
user_datasources = ConnectorRegistry.query_datasources_by_permissions(
|
|
db.session, database, user_perms)
|
|
if schema:
|
|
names = {
|
|
d.table_name
|
|
for d in user_datasources if d.schema == schema}
|
|
return [d for d in datasource_names if d in names]
|
|
else:
|
|
full_names = {d.full_name for d in user_datasources}
|
|
return [d for d in datasource_names if d in full_names]
|
|
|
|
def merge_perm(self, permission_name, view_menu_name):
|
|
# Implementation copied from sm.find_permission_view_menu.
|
|
# TODO: use sm.find_permission_view_menu once issue
|
|
# https://github.com/airbnb/superset/issues/1944 is resolved.
|
|
permission = self.find_permission(permission_name)
|
|
view_menu = self.find_view_menu(view_menu_name)
|
|
pv = None
|
|
if permission and view_menu:
|
|
pv = self.get_session.query(self.permissionview_model).filter_by(
|
|
permission=permission, view_menu=view_menu).first()
|
|
if not pv and permission_name and view_menu_name:
|
|
self.add_permission_view_menu(permission_name, view_menu_name)
|
|
|
|
def is_user_defined_permission(self, perm):
|
|
return perm.permission.name in OBJECT_SPEC_PERMISSIONS
|
|
|
|
def create_custom_permissions(self):
|
|
# Global perms
|
|
self.merge_perm('all_datasource_access', 'all_datasource_access')
|
|
self.merge_perm('all_database_access', 'all_database_access')
|
|
|
|
def create_missing_perms(self):
|
|
"""Creates missing perms for datasources, schemas and metrics"""
|
|
from superset import db
|
|
from superset.models import core as models
|
|
|
|
logging.info(
|
|
'Fetching a set of all perms to lookup which ones are missing')
|
|
all_pvs = set()
|
|
for pv in self.get_session.query(self.permissionview_model).all():
|
|
if pv.permission and pv.view_menu:
|
|
all_pvs.add((pv.permission.name, pv.view_menu.name))
|
|
|
|
def merge_pv(view_menu, perm):
|
|
"""Create permission view menu only if it doesn't exist"""
|
|
if view_menu and perm and (view_menu, perm) not in all_pvs:
|
|
self.merge_perm(view_menu, perm)
|
|
|
|
logging.info('Creating missing datasource permissions.')
|
|
datasources = ConnectorRegistry.get_all_datasources(db.session)
|
|
for datasource in datasources:
|
|
merge_pv('datasource_access', datasource.get_perm())
|
|
merge_pv('schema_access', datasource.schema_perm)
|
|
|
|
logging.info('Creating missing database permissions.')
|
|
databases = db.session.query(models.Database).all()
|
|
for database in databases:
|
|
merge_pv('database_access', database.perm)
|
|
|
|
logging.info('Creating missing metrics permissions')
|
|
metrics = []
|
|
for datasource_class in ConnectorRegistry.sources.values():
|
|
metrics += list(db.session.query(datasource_class.metric_class).all())
|
|
|
|
for metric in metrics:
|
|
if metric.is_restricted:
|
|
merge_pv('metric_access', metric.perm)
|
|
|
|
def clean_perms(self):
|
|
"""FAB leaves faulty permissions that need to be cleaned up"""
|
|
logging.info('Cleaning faulty perms')
|
|
sesh = self.get_session
|
|
pvms = (
|
|
sesh.query(ab_models.PermissionView)
|
|
.filter(or_(
|
|
ab_models.PermissionView.permission == None, # NOQA
|
|
ab_models.PermissionView.view_menu == None, # NOQA
|
|
))
|
|
)
|
|
deleted_count = pvms.delete()
|
|
sesh.commit()
|
|
if deleted_count:
|
|
logging.info('Deleted {} faulty permissions'.format(deleted_count))
|
|
|
|
def sync_role_definitions(self):
|
|
"""Inits the Superset application with security roles and such"""
|
|
from superset import conf
|
|
logging.info('Syncing role definition')
|
|
|
|
self.create_custom_permissions()
|
|
|
|
# Creating default roles
|
|
self.set_role('Admin', self.is_admin_pvm)
|
|
self.set_role('Alpha', self.is_alpha_pvm)
|
|
self.set_role('Gamma', self.is_gamma_pvm)
|
|
self.set_role('granter', self.is_granter_pvm)
|
|
self.set_role('sql_lab', self.is_sql_lab_pvm)
|
|
|
|
if conf.get('PUBLIC_ROLE_LIKE_GAMMA', False):
|
|
self.set_role('Public', self.is_gamma_pvm)
|
|
|
|
self.create_missing_perms()
|
|
|
|
# commit role and view menu updates
|
|
self.get_session.commit()
|
|
self.clean_perms()
|
|
|
|
def set_role(self, role_name, pvm_check):
|
|
logging.info('Syncing {} perms'.format(role_name))
|
|
sesh = self.get_session
|
|
pvms = sesh.query(ab_models.PermissionView).all()
|
|
pvms = [p for p in pvms if p.permission and p.view_menu]
|
|
role = self.add_role(role_name)
|
|
role_pvms = [p for p in pvms if pvm_check(p)]
|
|
role.permissions = role_pvms
|
|
sesh.merge(role)
|
|
sesh.commit()
|
|
|
|
def is_admin_only(self, pvm):
|
|
# not readonly operations on read only model views allowed only for admins
|
|
if (pvm.view_menu.name in READ_ONLY_MODEL_VIEWS and
|
|
pvm.permission.name not in READ_ONLY_PERMISSION):
|
|
return True
|
|
return (
|
|
pvm.view_menu.name in ADMIN_ONLY_VIEW_MENUS or
|
|
pvm.permission.name in ADMIN_ONLY_PERMISSIONS
|
|
)
|
|
|
|
def is_alpha_only(self, pvm):
|
|
if (pvm.view_menu.name in GAMMA_READ_ONLY_MODEL_VIEWS and
|
|
pvm.permission.name not in READ_ONLY_PERMISSION):
|
|
return True
|
|
return (
|
|
pvm.view_menu.name in ALPHA_ONLY_VIEW_MENUS or
|
|
pvm.permission.name in ALPHA_ONLY_PERMISSIONS
|
|
)
|
|
|
|
def is_admin_pvm(self, pvm):
|
|
return not self.is_user_defined_permission(pvm)
|
|
|
|
def is_alpha_pvm(self, pvm):
|
|
return not (self.is_user_defined_permission(pvm) or self.is_admin_only(pvm))
|
|
|
|
def is_gamma_pvm(self, pvm):
|
|
return not (self.is_user_defined_permission(pvm) or self.is_admin_only(pvm) or
|
|
self.is_alpha_only(pvm))
|
|
|
|
def is_sql_lab_pvm(self, pvm):
|
|
return (
|
|
pvm.view_menu.name in {
|
|
'SQL Lab', 'SQL Editor', 'Query Search', 'Saved Queries',
|
|
} or
|
|
pvm.permission.name in {
|
|
'can_sql_json', 'can_csv', 'can_search_queries', 'can_sqllab_viz',
|
|
'can_sqllab',
|
|
})
|
|
|
|
def is_granter_pvm(self, pvm):
|
|
return pvm.permission.name in {
|
|
'can_override_role_permissions', 'can_approve',
|
|
}
|